The main problem trying to be fixed here is "identity theft". What that crime is, I think, is not clearly understood. This is when a criminal defrauds a bank or other company by getting credit using your identifying information and then defaults. The bank then misinforms the credit bureaus that you defaulted on your loan and this lie by the bank hurts you when you want to get any type of loan. This crime would be better called "bank slander" and the banks that do it should be fined heavily with some money going to the person slandered.
Banks should have to know who they are loaning money to and if they make a mistake, that needs to be solely their problem. Then banks will figure out ways to confirm your identity better and people won't get into the hell that is trying to get the "bank slander" removed from their credit report.
You said it in your comment and I've seen it in other posts here on HN. It shouldn't be called identity theft. It should be called fraud. That's what it is.
The idea of an identity, especially a permanent one that travels with you throughout your life, is a relative recent one. 200 years ago, you could escape your past sins, so long as you didn't have an identifiable face and could speak the language at your destination. (If you couldn't you ran the very real risk of becoming a slave, which is caused by removing a person from their context; e.g. family, language and community).
There is a deeper question of "What is an identity?" and we also have to realize that the digital identities have never existed throughout history. Not in the way they do today. It's hard for us to imagine a world before passports, before real borders and before permanent numbers and documents that follow citizens throughout their lives.
And the principal reason we have digital identities today? Debt. It is solely to trace debt. It has nothing to do with proving you went to x university or worked at y job. There are other ways to track that, which are terribly inaccurate when you really start to look at them. The principal reason for your SSN, your digital identity, is to track credit and debt. I highly recommend the book _Debt: The First 5,000 Years_. It really goes into depth on this concept.
But remember that 200 years ago you couldn’t travel, were most certainly dirt poor, and worked to eat.
And you did have identity records. If you were rich enough to have checks, you’d appear in a city directory and banks would rate your creditworthiness. If you travelled, you’d have to have silver or gold in hand, as your Boston banknote was worthless in Virginia.
Heck no, Ireland was going gangbusters in the later part of those 200 years! [0] It's what came shortly after -- around 1845 -- that erased all the progress.
> No matter what degree of culpability should be assigned to Britain, the consequences of the famine to Ireland are indisputable: it broke the nation in half. At a million or more fatalities, it was one of the deadliest famines in history, in terms of percentage of population lost. A similar famine in the United States today would kill almost forty million people. Only the famine of 1918-22 in the Soviet Union may have been worse.
> Within a decade of the blight another two million fled Ireland. Many more followed in subsequent decades, inexorably driving its population down. The nation never regained its footing. As late as the 1960s its population was half what it had been in 1840.
> Today Ireland has the melancholy distinction of being the only nation in Europe, and perhaps the world, to have fewer people within the same boundaries than it did more than 150 years ago.
-- Transcribed from the book "1493" by Charles C. Mann.
The Turkish government instigated the Great Famine of Mount Lebanon during the time they were also committing the Armenian Genocide.
When few noticed, Adolf Hitler seems to have taken it heart[0]:
> "Our strength consists in our speed and in our brutality. Genghis Khan led millions of women and children to slaughter -- with premeditation and a happy heart. History sees in him solely the founder of a state. It's a matter of indifference to me what a weak western European civilization will say about me."
> "Who, after all, speaks today of the annihilation of the Armenians?"
I've been quite aware of the history but to read how he takes inspiration of cruelty makes it even more disgusting.
(Oh, and yes I'm fully aware a number of others like the French terror reign, Pol Pot, Rwanda, China, former Yugoslavia, Japan/China, India/minorities, a number of colonies of Western countries, natives of south and north America but for some reason the Armenians seems to go unnoticed. Thanks for reminding.)
That's a fascinating fact as an Irish descendant in America of emigrants who left because of the famine, but I have to wonder if it's cherry picked. Is the same true of any number smaller than 100?
If I don't get an answer, I'll try to find some demographics numbers and figure it out tomorrow.
I would say that post-war, consumer credit drove American economic success, and that the SSN became a key part of that system. Had it not existed, something else would have served that function.
Oh god, this should be criminal. Once Dun & Bradstreet have your business information -- because you can't do any contracting without one! -- you start to get really really scummy calls trying to trip you up and get you to sign up for their business "services". They will call you and it will sound exactly like some government agency doing some routine government communication and verification of your information -- not asking you to volunteer any of it, because remember, they have all your information already because it's a legal requirement to have a DUNS number, which only they can issue -- and if you're distracted at all or just not on your game, suddenly you'll be signed up for all this expensive shit which is as sticky as any other scumbag subscription "service" out there. They are scummy dirtbags. What a nightmare!
"racketeering" is a terribly vague term, and if that is what your laws are supposed to prevent then you must expect official discretion. Which means you must expect politically connected incumbents to not be much touched by it.
The point of parent is that there are two crimes (or at least a crime and a tort) here:
- by the scammer against the bank, i.e. fraud
- by the bank against the legitimate identity owner, i.e. what the parent calls "bank slander"
Which makes the changes to the rules surrounding personal bankruptcy in 2005 even more ominous, especially when it comes to big ticket items such as student loans.
No no no no, none of this is correct. Income limits are based on your state's median income for your family size. Chapter 11 is always available; it doesn't make sense for most individuals because of quarterly UST fees. Chapter 7, and Chapter 13 plans based on actual expenses were means tested. Private student loans were made non dischargable. Times between serial filings yielding a discharge were increased by 25%. Pre and post filing counseling/edu were mandated.
Google BAPCPA for more because the bill Bush signed sucks.
EDIT: Nevermind, the wiki link in the post before yours is great.
On the other side though, if Joe is protected againstany fraud (as he is with credit cards) what's to prevent Joe from GIVING his identifying info to someone and then claiming identity theft? Or just buying stuff and claiming identity theft?
I would think that each new account or transcation should generate a notification to Joe and he should be able to reverse them within a certain amount of time.
Joe could make it so that his device ignores notifications about transactions made by his own device, and only hear about other ones.
> what's to prevent Joe from GIVING his identifying info to someone and then claiming identity theft? Or just buying stuff and claiming identity theft?
That would be the same crime as someone using Joe's stolen credit card info - fraud.
Then the bank has incentive to shift responsibility back to you, e.g. by requiring withdrawal request to be signed with your private encryption key. And you have an incentive to care about security of this key.
There's no shared secret between just the bank and you.
Therefore the bank can't establish that it was you, who leaked the secret. (Because it's easy to leak SSN, it could have been any random company you did business with. Or the SocSecAdmin.)
And even if your shared secret was used to withdraw, there's still a chance of the bank leaking it.
So usually the shared secret's hash is stored.
This works pretty well.
Around here banks ask you to give your PIN for identification, or you have to present your ID, and they compare it with what they have on file. (So trust on first use is still important.) Sure, it's probably not hard to fake these plastic cards, but that's a rather serious crime, and then the bank can pull the security cam footage, etc...
Of course, requiring confirmation on an SMS even when you do in person banking might make sense.
And that's why the rest of the world's governments issue their own national IDs to their citizens. Heck, I have two!
I have one given to me at birth, which is a sequence of 13 numbers that gets calculated with a formula and has a control number at the end (kind of like credit card). This one is random enough for nobody be able to guess anyone else's (for example, how many babies were born before you on your birth day in that region is a relevant factor in the formula) and is used with government entities and government entities only (it is illegal for the businesses to require from you to provide that number to them to give you a service).
And I have the second one, which is the national ID number. This one was given to me when I was 18, and it serves as a proof of identity with the businesses.
And there you have it. Two distinct numbers. One for your government, and the second one for you dealing with businesses. Someone can't fake anything important (as in, government-related) with your ID, and businesses have a second number that is usually proven on the spot with the photo of you in your national ID.
Absolutely not. I mean, I don't know which jurisdiction we are talking about, but I don't know of any that bases identity on a number.
The numbers don't serve as proof. They are just a number to help refer to you in databases.
The proof of identity is provided by the plastic cards and other items/papers. (Such as a birth certificate. And usually if you lose that to get a new copy you need some ID, and if you lose your ID cards, then a written statement from the police that you lost your ID card.)
Naive question, why wouldn't someone want a national ID card? From my understanding and time in sweden (granted only 5 months) they seem like a much better system than SSN
In the US, ID card policies were and still are often used to disenfranchise minorities from voting. The policies behind them are often inconsistently applied and sometimes require large bureaucratic efforts to rectify. Obtaining a copy of your birth certificate in the US often means going back to your home county and visiting some municipal office for hours on end. If you work a 9-5, there's no way in hell that's happening.
Voter suppression in the United States has had a long, sordid history. Blacks were given the right to vote after the civil war, prompting southern states to implement literacy tests, poll taxes, basically any legitimate-seeming test to de-facto turn away black people at the polls. This got so bad that we literally wrote an Amendment (24th) to state "yeah you can't do this either".
What's fucked up is that this sort of thing STILL happens. This past Tuesday, a number of voters in Virginia received calls telling them to go to a different polling station from the one they were assigned. See https://theintercept.com/2017/11/07/virginia-voters-get-myst...
Stuff You Should Know did a really good episode on voter suppression in the US that I'd recommend.
Historically, registries of citizen identities have been used for horrendous exploitation of the public. They have been used to ease profiling, targetting, discrimination, and elimination of anyone who is politically problematic. Personally, I resist most sort of formalization or systemization of human life or identity. Any person who says "our policy doesn't mention your situation" or "the software doesn't allow that value/have a field for that" and considers this to be a problem of the person with a life that doesn't fit the mold the designers of the system fantasized about really ought to be punched in the mouth, and creation of an easily-indexed national ID is an important step in such systems.
Why do they want a NUMBER? Because names are too... human. They're messy, and they can change, and they don't fit standard forms. It's an impulse to purge the humanity from social identity that motivates establishment of national ID numbers.
In the US at least, in theory the proposal for a long time was just to not keep track of people in the first place. The federal government collected taxes on things like property and tariffs that were hard to avoid, they performed a census once a decade to get a rough idea of how many people there were, and anything beyond that was none of their business.
Then we got income taxes and federally guaranteed pensions (Social Security) and medical assistance (Medicare/Medicaid) and a few other, smaller safety net programs. Furthermore, while there's plenty of fighting around the margins, the overwhelming majority of Americans are broadly in favor of keeping at least some of the Great Society programs, and that means we have to have a national registry of some sort.
It turns out that when the population is broadly distrustful of the idea of a national registry but broadly in support of a tax regime and social programs that require a national registry to function the stable equilibrium is a really really shitty national registry that everyone hates but nobody feels they can improve without getting shouted out of office. American politics is dumb.
That is the whole point. Some cultures have residual beliefs about limited government and privacy. Some sub-cultures and families in those cultures have maintained a strong believe that no one should be "keeping track" of them.
Based on your phrasing it sounds like you think owning a national ID card is commonplace in Sweden. The national ID card system isn't widely used at all, most people use either their drivers license or passport when they need to identify themselves.
The only thing everyone has is a person number, and the difference is that it is explicitly considered public information and you can get anyone's person number by just asking the Tax Agency. It's just a convenient way to keep track of people, not a way to actually identify yourself.
Scalability. Transactions are usually pretty small compared to annual incomes so the people doing this are doing it a lot, and you will be under some scrutiny after the 75th fraud on your account this year.
This is only an issue because of tracked non-anonymous accounts. The key for money laundering in high profit / service retail businesses is using dirty anonymous cash. Often the customers literally do not exist, imaginary entries are made at the register and cash is stuffed in.
The last suggestion is easily worked around, merely trade device IDs along with account IDs. In fact the easiest way to steal money would be simply to clone your device outright complete with saved passwords etc. Joe certainly doesn't control his own device, not the firmware, OS, or apps, not to mention MITM attacks.
It's easy to understand why the victim of this type of fraud (the banks) would like to shift the damages onto an unrelated third party (the person whom the original perpetrator is purporting to be); it makes life much easier for them.
What's not clear is why anyone else would would go along with it. If someone breaks into my home and steals my microwave, I cannot then break into my neighbor's home, steal their microwave, and then claim that my neighbor was the true victim of the burglar. I am the victim of theft, and now that I've stolen my neighbor's microwave, he is also the victim of theft. It doesn't cancel out!
I think it's important to be clear about what's going on here, who the victims are, and who they are being victimized by.
> What's not clear is why anyone else would would go along with it.
Anyone else (i.e. us plebs) don't need to go along with it. The banking industry has enough $$$ to pass laws favorable to them with or without our blessing.
‘No Way To Prevent This,’ Says Only Nation Where This Regularly Happens.
I don't understand why the US has identity theft. Is it because there's no national ID? Here in Europe we don't have any "secret" number that someone can just use to open a bank account in your name.
In Europe fraudsters end up using passport copies and numbers, and the only perhaps good thing is the crime becomes localised, but if you travel into that area you might be in for a shock as I was. And then try to explain it wasn't you in a foreign language. I think the single US system has a chance of being sane to correct if you are a victim.
I have lost the battle to clear my name. Different states in Germany for example have different police systems and argh..
But abuse is very low, as it requires that whoever does it identifies themselves first at another bank, and opens a merchant account (which has other verifications). And then reversing it is easy, too.
And you can't even shop with stolen IBANs at Amazon, because every major retailer will first send you a 1ct transaction with transaction info set to a OTP you use to verify that you own the account.
Wouldn't the equivalent of ACH transfer be SEPA Credit Transfer (SCT)?
I'd add that SEPA being mandatory for all participating countries has simplified transfers a great deal. Now most banks remember creditors, just like a phone book but for money, so sending money from your phone is pretty neat.
Additionally, the SEPA effort created ISO 20022, which is gaining ground worldwide as a one-stop-shop format for financial transfers. See this article from the US Federal Reserve a couple of weeks ago: https://fedpaymentsimprovement.org/news/press-releases/feder...
And the merchant needs to have a valid direct debit mandate that he has submit to his bank which in turn transmit it to your bank for it to check. After your bank has confirmed the mandate the transfer can be initiated.
SDD can be reversed without giving any reason for a whooping 8 weeks by the customer sometimes simply by clicking "reverse" and entering a TAN.
In the US, everything needed to initiate an ACH is printed on a Check... and people feel very safe writing checks to one another and to companies. You never really know who sees your checks, where they are stored long-term, etc. Also, it's trivial to find a website that will sell you a box of checks, they do no verification to your identity/ownership of the accounts, they basically just print what you tell them to. Nothing is secure about banking, it really does need a modern reboot where we just sever ties to the legacy features
The grandparent comment is using ACH but he means the EU equivalent (whatever it's called, I'm not sure). Paying for things in EU with a direct bank transfer is very common. Almost every online shop takes it, every bill you might need to pay, even when just sending money to a friend - direct bank transfer is common.
For me with my German bank account, sending money this way always requires a one time use code. The code is not digital, the bank sends you a list of 100+ codes printed on a piece of paper. So, I'm not really worried at all because there is no possible way for a scammer to get my codes.
UK: Bank account numbers are public-ish and it's normal to give them to your friends so they can send you money (it's not normal to buy from an actual shop that way). Jeremy Clarkson made a point of giving his out on national TV. The one way to get money out of someone from those numbers is a direct debit, but as sibling comments have said the other end of those can only be a merchant account and the individual is easily able to reverse them.
For me with my German bank account, sending money this way always requires a one time use code. The code is not digital, the bank sends you a list of 100+ codes printed on a piece of paper. So, I'm not really worried at all because there is no possible way for a scammer to get my codes.
The Direct Debit is 100% reversible. Clarkson didn't reverse it because the people who did it chose a charity and he can afford the money. If you found the money was somehow going to an actual crook you'd reverse it.
A utility company Direct Debited money from me when they screwed up and billed me for someone else's supply. I called my bank, said I wanted the Direct Debit cancelled and the money returned, they did it and the money was back in my account the same day.
The utility company sent me all manner of outraged paperwork, including threatening to set lawyers on me, but they couldn't magically take my money, and sure enough once they understood their mistake I got an apology and they wrote off all my actual bills for the past 12 months.
It changed last year in my country, we no longer have direct debit, it is now called e-invoice. You sign up for it and start getting invoices in your bank account then it is just one click to pay or you can enable auto-pay, so its essentially direct debit which you can enable/disable at any time.
But when I did have direct debit it always included the maximum pay amount which I usually set 2x the amount of average bill so if utility company makes a mistake payment will not go through.
To be fair, people didn't withdraw funds, someone was able to set up a recurring transfer (direct debit) from his account to a charity. Which makes it useless for theft, since the thief would leave definite proof of their identity (receiving account number).
The best part, I think, is Clarkson's response:
Clarkson now says of the case: "Contrary to what I said at the time, we must go after the idiots who lost the [personal information] and stick cocktail sticks in their eyes until they beg for mercy."
Bank fraud frequently requires the crook to supply an account number to transfer the funds to. This is not a problem if the only activity on the account is:
1. Opened with a fake identity
2. Stolen funds received
3. Stolen funds transferred to a bank with (intentionally) poor record keeping, potentially bouncing around a few more times.
Wire transfers seem to be a big hole at the moment.
Someone opens an account in your name, order 2fa credentials (to your real address), pick ups the letter and manages to convince the people at the counter that he is you, and voila, full access to all accounts. It was a pretty common one a few years ago. Nowadays I think they require you to go to a bank office to pick it out.
Personal experience. I used to frequent several private forums related to this sort of activity and had many friends who did this for a living. I am fascinated by the inner workings of these things, so naturally I asked lots of questions.
There used to be some public discussions on the alphabay forums, which was filled with small time bank fraudsters from both the US and the EU. The EU ones actually seemed much more prevalent.
I believe the AlphaBay forums were integrated into the main site and so would be findable in the AB dump; most DNMs kept their forums on separate .onions so had to be crawled separately.
The key limitation is that you'd have to have proper ID.
Forging or getting a fake ID is harder than counterfeiting money (maybe accessible to organized crime, but certainly not worth the cost/effort/risk just to steal a few thousand dollars); lost/stolen IDs have a registry that all the banks check; and you have to show up in person so if detected you don't get a second chance, you're leaving the building in handcuffs.
Seriously, the only problem with IDs I recall from banking was the use of IDs bought off of homeless people to register shell companies for money laundering, but those were real IDs and usually with the real owner "hired" for the initial account opening.
Yes, the tax number isn't secret, it's just to prove that you know it and so they can correlate your tax situation, I think. The biggest proof is the identity document, which is not trivial to forge.
Proof of residence is a copy of your lease, or a bill by a power or phone company, basically a piece of formal correspondence with your address on it, so you can sort of prove you live where you say.
The bank photocopies all this, so if you forge an ID card to include your photo, they store the photo too, and if you get caught you're in deep trouble, as forgery is a serious crime. I think that's actually what prevents most identity theft here.
In France, the institutions emitting the proofs of residence add a 2D-Doc, a flashcode printed on the document that includes the key information, signed with the institution's private key.
Ya, so I think the big difference between Europe and the US is that you can open a lot of accounts online in the US so there is no opportunity to examine and copy a physical ID card. I can definitely see how that would raise the difficult of pretending to be someone else.
I just opened a bank account in Germany via an app.
I had a choice between either using my eID for verification, or doing a video call and showing the ID into the camera (in a way that their systems can automatically verify the security measures).
It took 20 minutes to go from nothing to having an account, and being able to move money to ans from it.
No, not really. I've read that in USA it's somewhat common for people to possess fake IDs e.g. for students for age-verification purposes; but in EU forged IDs are serious business - it's really hard to make a somewhat passable forgery, it's harder than counterfeiting currency, so unless you've got contacts with organized crime (e.g. your local drug dealer doesn't have such access) you're not going to find anyone willing to make you such an ID, and if you do, it's likely a police sting operation. Getting a fake ID gives limited benefits and means jailtime even if you don't attempt to use it (fraud charges would be extra), there's not much demand among "normal people" for it (unlike e.g. drugs), so there's not a flowing market that would make such a purchase trivial.
Also, even if you could get one, it's going to cost thousands, so it's not worth it for mass scamming. Also, you'd have to show up in person and risk immediate arrest if the forgery gets detected.
What I'm hearing is our idiotic age limit on drinking makes ID forgery lucrative enough to outweigh the risks. Therefore: The drinking age in the USA is largely responsible for making identity theft easier.
I'm kidding, another major hole in this is a unique nexus of states having different ID/Driving License implementations and the fact that a vast portion of our citizens lack a passport.
Also, I'm not sure where the money is in the current system, but every time the USA tries to create a national ID all sorts of astroturfed nonsense comes out about Big Brother and COMMNUNISM!!
As in an actual national ID that can be used to open bank accounts and cross borders, or some other sort of non-official ID that might be good enough to get you into bars?
I suspect that what you have seen were all forgeries of temporary non-machine-readable IDs, ie. ID-2 format laminated cardstock, instead of ID-1 (credit card size) plastic (smart) card, which are good enough to cross land borders, for getting beer at bar or for cursory inspection by police, Such IDs are usually insufficient to open bank account (and generally rejected by anyone who cares, including many parts of government) or air travel.
Edit: or given the thread context you mean forgeries of the same level as US driver licenses for under age drinking, which is quite possible, but such forgery is readily distinguishable by anyone who has actually seen real EU ID card.
You're seriously admitting to holding various forged ID cards in several EU countries? To me that is similar to someone just casually noticing that they have made counterfeit money or stolen a wallet – seriously criminal.
And I'm also heavily doubting that an internet connection is enough to get a forged ID card. It does elude me how one would do that without some sort of special machines.
If someone is targeting you and especially you, I assume it wouldn't be super complicated.
However, purchasing a thousand SSNs and automating signups sounds hell of a lot easier than purchasing a thousand passports and physically visiting the bank offices.
Banks, police, city administration, doctors, pharmacies, insurance - those are the reasons I've pulled out my ID card in the past 10 years, and every single time it was to read the chip, with barely a passing glance given to the card itself.
If you use a passport, it'll take a lot longer to verify.
For example, banks will photocopy your passport and verify the signature on it to ensure that it's correct.
(Basically, there's an algorithm used to compute a 30 digit hash on the ID or passport, which is computed from the IDs content and a secret seed. Anyone can verify this hash easily with open algorithms and tools, but only the government can create them).
At least within the Netherlands, your residence is officially registered with the municipality. This is tied in with your Citizen Service Number (BSN). Without this, you cannot open a bank account.
Don't the credit card companies do a credit check or is your tax information sufficient to know your credit worthiness? If a credit check is done, do you know which identifier the credit rating agencies use?
Every country is different, but here’s the belgian system:
There is a national ID number, equivalent to SSN, which is printed on the ID, and to which the credit history is linked. It is used for distinguishing identity, but not for authentication. For authentication you need the physical ID and sometimes the pin code. The ID card carries a digital certificate which makes them hard to forge (I’ve never heard of outright forgery), and allows for online identity (like filing taxes or opening a bank account online). Obtaining a new ID requires either presenting the old one, or visiting the police to have your identity verified in other ways.
I signed up for all my bank accounts and credit cards online. But they have to check your ID, more and more through videochat nowadays, before that you'd either need to mail documents or go to a post office where the staff is able to stamp a form that says they've checked your ID.
Also in most European countries the administration knows your official address and companies can check that you live where you pretend to.
The bank may refuse to issue one if they don't like you, and they often do so. For example, if you're not a citizen of the country. Or don't have permanent residence yet. Or they don't like your accent. Or…
My first credit card application was rejected with no explanations.
In Europe credit cards are very rare so bank accounts are usually the target instead. In Europe it's also practical to send wire transfers online without going to a branch, unlike the US.
Getting your bank accounts emptied sucks much more than having someone open a credit card in your name.
In my experience of living on both continents: European credit cards are much more like debit cards in the US and US-style credit cards are super rare.
Everyone I know in Europe with a “real”credit card just has an Amex.
Don't try to generalise banking/credit cultures across Europe, some countries may be the same as each other but there's a wide variety.
According to https://merchantmachine.co.uk/visa-mastercard-amex/ there are very few places in Europe where AmEx is #1 for credit cards (and, being from the UK, I'm actually surprised to see UK as one of those countries... I would have bet money on Visa/Mastercard having higher market share than AmEx here, even for credit cards alone).
From personal experience: what kind of cards (both debit vs credit, and what network they're on) varies massively in different EU countries.
I had a European Visa. It was very different than my US Visa.
In the US it collects points and cashback and you can magically go above the limit if you have money on your checking account. You have to do really really crazy stuff to get a transaction rejected. It gives you insurance for car rentals and concierge services for things I never considered.
In Europe I had a Visa and a MasterCard. No points, no cash back. Couldn’t go over the limit, forced to pay everything off every month. If you don’t, card is blocked.
In the US you can (often?) pay off as little as $25 on a massive CC debt and there’s a lot of interest on what you don’t pay off. I didn’t have any interest in Europe, it just stopped working if I didn’t pay it off next month.
From what I can tell, most Americans wouldn’t recognize my European Visa or MasterCard as a credit card. It behaves like a half step between debit and credit.
Are other cards in Europe closer to the American version?
Both MasterCard and Visa offer both types of cards. I've got two different Mastercards from my bank. One that is a debit card, draws money directly from my account and stops working if there is no money in the account. The other is a credit card with a line of credit, a bill at the end of each month and an option to only pay off a small part of what I owe.
That being said the debit card version is the one you get by default, and the credit card version is something you have to ask for separately.
It varies by country, and by what companies offer to different consumers. I'm not an expert in this area, but a few examples I know of:
- In the UK, Visa/Mastercard are the most common networks used for bank debit cards, using them pulls money from your bank account directly. Most banks give most adults (citation needed, but I think) a debit card by default with an account.
- In the UK, you can apply for credit cards from a number of companies, including banks (but it's a seperate to any bank account you might have with them), and credit card only companies. Different providers offer different types of cards, and the kind of deal you can get will depend on your credit history, salary, etc. They will (nearly always) have a credit limit, which could be a few hundred or could be very large. They will have a specific rule about minimum payments - some might want your balance paid in full each month, others will ask for a minimum payment (which could be a tiny percent of the amount owed) each month. If you pay in full, you don't get charged interest. If you take longer to pay, but within the agreed terms, you'll pay some sort of interest, which could be reasonable or extremely expensive depending on the card you have. Some cards offer benefits (points or cashback, maybe other perks like special deals, concierge services, etc.) while some are purely lines of credit with no other benefits.
- In France, I was given a Visa debit card when opening a standard bank account. No experience with French credit cards.
- In Belgium, if you want a card on the Visa/Mastercard networks, you need to get a credit card - most people use debit cards which use different networks (I think they use Maestro and another one..)
I am in France and it seems Visa Premier and Mastercard Gold with payments deferred to the end of month - with zero interest - are now considered "credit cards" (because they can be regarded as a limited form of credit, I suppose).
I have a small "CREDIT" label next to the chip of my new card and airlines (EasyJet, Ryanair...) now reject my card if I select the cheaper "Debit card" payment option.
I have bonus points on some cards and cash back on other. All include stuff like travel insurance if I pay > 50% of the trip with the card. I can not go over the limit based on how much money I have in the bank since the cards are not connected to my bank account. But my limit is not a problem since some increase it without me asking and the only time I have needed to increase it on a card I could do that online in two minutes. I select how much of the balance I want to pay back each month, if I pay all there is no interest if I pay parts the interest is high and the CC company makes money
You probably ended up with some kind of crappy "starter" not-really-a-credit card due to a lack of credit history in the relevant country. Those exist in the US too. It's odd that you call it a "European visa". Different European countries have different banking systems. In the UK at least, credit cards work the same as in the US.
You're overgeneralising. As a European I have four Visa cards in my wallet, two of which behave like your "US Visa" and two of which behave like your "European Visa".
The UK has credit cards that are used by ordinary people much the same as in the US. Cards are very common there, most people have at least one.
But it has different laws so that they're not as exploitative. The card companies accepted these laws in order to get a chance at the relatively wealthy British customer base. In particular:
* Issuers have to tell you each month how much it's going to cost in total to pay off your debt gradually, which is usually a scarily enormous figure.
* Issuers own the risk of buying most things with the card. If you pay £200 for a hat from an online merchant with the card, and then the merchant goes out of business without delivering, the law says the Issuer bought that hat, you owe nothing.
* Issuers own the risk of card fraud. Unfortunately juries and judges both tend to believe the smartly dressed bank official in a trial, but in law all the responsibility for fraud lies with the Issuer unless they can prove it's your fault.
A lot of people like me have a credit card, and then have the issuing bank also automatically pay off the balance every month from their current account. So the effect is that their credit card is a rolling 30 day interest free loan.
All of those rules sound like the experiences I've had with US credit cards, at least recently. Statements have an area showing "If you only pay the minimum balance, it will take X years and end up totaling $Y." Almost all cards I have used have fraud protections built in, with many even having additional warranties for products purchased.
I have several Visa and Mastercard credit cards. Amex tries go get into the market here, but have higher interest rates and a yearly fee, while most Visa and Mastercards are without any yearly fee, so Amex is rare here. The credit cards I have are not connected to my account and if I pay all the next month there is no interest, but if I only pay parts there are lots of interest. I do get points/credits on some of the cards, so that are the cards I do use.
So I am not sure what is the difference between these cards and "US-style" cards. Maybe that we only need to get an automated credit check based on past years tax reports to get them, instead of having to work hard to get a good credit score?
The differences between different parts of Europe can be larger than the difference between some parts of Europe and USA
Everyone I know in Europe with a “real”credit card just has an Amex.
Lived in Sweden for the past 12 years, and never seen anybody us an Amex card (seen lots of ads for Amex though). Mastercard seems to own basically the entire credit card market here.
In my country (Bosnia), there's pretty much no difference between them. Maybe half a euro more per month for one or the other. All the banks I know of let you pick between them. Citizens usually pick randomly. They're accepted the same, you still have to chase your own bank's ATMs to avoid unnecessary fees etc.
On the other side though, EU wire transfers within SEPA cannot cost more than a domestic transfer and overall the domestic fees are insanely cheap, if not free.
In the USA, wire transfers average $10-25 on the outbound. Inbound, domestic wire transfers are often free, but inbound International transfers can run you $15.
This fee structure is why you see Vimeo and Square Cash (and PayPal before those) become so popular.
Not sure what bank you are working with, but that is not my experience (as a US citizen & resident). I have sent both domestic and international wires completely online.
> I have sent both domestic and international wires completely online.
Were these wires to a company that receives lots of similar wires? Do/did you have a history of sending wire transfers? Were any of these wire transfers a significant chunk of your account balance?
All of these things matter. In the US the average person is simply far more likely to be sent to the branch when wiring $10k than in EU.
Not all of Europe has national ID. Here in the UK there's no such thing and no general requirement that you be able to identify yourself (though most banks would require photo ID like a passport or driving license or both before they let you open an account) - on the continent I have to remember to always carry my passport with me, which feels weird and oppressive.
At least as a citizen in Germany, you're not required to carry ID. You are required to own some ID (ID card or passport), and you're required to register the place you live in with the authorities. Not sure what the rules for non-citizens are.
In any case, most people I know always carry their ID card with them in their wallet. You don't need it all that often, but you might as well carry it around, and having government issued proof of your identity is actually quite handy in many situations (situations that are handled with SSID and/or credit card in the US).
> You are required to own some ID (ID card or passport), and you're required to register the place you live in with the authorities.
Fair enough, but still, that's not a requirement here, and seems weird and oppressive (indeed my memory is that being required to register where you lived was a classic example of the non-free-ness of the Soviet Union).
> In any case, most people I know always carry their ID card with them in their wallet. You don't need it all that often, but you might as well carry it around, and having government issued proof of your identity is actually quite handy in many situations (situations that are handled with SSID and/or credit card in the US).
Sure, in practice I carry my driving license around most of the time in the UK. But the fact that I don't have to feels important.
Declaring a single legal domicile is a great way to prevent problems with location-based voting and taxation.
Hypothetically, if you owned two houses, and spent exactly 182.5 days per year in each, an outside observer would not be able to tell which one you considered to be your true home. So that observer might presume it is not your home, and prevent you from voting there, or presume that it is, and levy location-based taxes as though it were your full-time residence. Worse, different observers could make those determinations separately, and you might end up paying double taxes while being denied the ability to vote in either place.
There are also concerns about the correct address the government should use to send its official communications to you. It isn't always about knowing exactly where to send the cops in ninja gear to rouse you out of bed at 2 AM.
> which I must be able to show to certain agencies at any time.
Which agencies and for what reason? There is no general obligation of US citizens to carry identification or even to provide your name to authorities unless you are reasonably suspected of a crime.
I was pulled over once for doing a U-turn on a street (There was no No U-Turn sign) to pick up a friend from work whom I saw was walking. It was a very cold night and he had on only a T-Shirt. I didn't have my wallet on me, but knew exactly where it was at home.
I sat in the back of a police car for a hour while they researched everything about me.
Again, there was no No U-Turn sign. I was simply suspected of something, of which the police never informed me of.
That was the day I learned I always needed my license, for apparently any reason, in the US. Even if you're white.
The always carrying something to identify myself is weird. In practice I usually carry my driving license around, but I'd expect to be able to go out without it (and do so occasionally if I'm in an outfit without much pocket space).
Because the US has a much bigger consumer credit market. Almost every retail chain offers a credit account to customers. Even with the large amount of losses from fraud the banks and credit issuers accrue, they still make bank because of the high interest rates they charge.
If you want to live in such a "free market" world then if I'm a bank and someone fraudulently used your information to obtain a loan then I don't want to issue any more loans to anyone who uses your information.
If one person used it fraudulently then there's a much higher probability that any subsequent loan application with the same information is also fraudulent.
Banks need to make loans, if they reject people based on such things they will quickly go out of business as there is an ever smaller slice of the population left over.
Instead, all that's going to happen is banks will simply require someone to show up in person and present sufficient identification.
It already is a crime if you tell the bank that they have made a mistake and they don't correct it. It's not hell to fix it. You just have to send a few letters.
It also already is almost all the bank's problem. After all, they are the ones that lose the money in the scenario you describe.
I think there are underlying issues beyond slander or misinformation.
In many ways, credit scores are an early example of data related problems that will become more common. Some will become serious issues in the next few years.
Credit scores are basically an estimate of credit-worthiness. The system is designed to solve the banks' problems, not consumers'. For banks, some number of false positives (creditworthy person with a bad score) is acceptable. It may narrow the market slightly, but it improves the quality of the remaining majority of customers.
This is true of a lot of statistical/algorithmic decision making. Paypal flagged me as "high risk" when I moved countries, so I can't use paypal now. For paypal, losing 1 of me to avoid 2 malicious users is an acceptable trade-off. For me, it's annoying but not a big deal because paypal is rarely the only option.
If paypal's "danger" flag were shared across the financial system, this would become a serious problem for me. It could freeze me out of online transactions entirely, maybe other things. If landlords had access to paypal's "high risk" filter, would it be worth using to filter out bad tenants? Seems possible.
The false positive problem goes from an annoyance to a fundamental rights vioation quickly, if data is shared.
Insurance is acquiring similar issues, though with very different mechanisms. As statistical inference improves, insurance ceases to be insurance... Risk gets pooled across ever smaller groups. The whole purpose of insurance is to pool risk widely. IMO, this is the problem the US' health policy architects underestimated. Insurance companies know too much to be insurance companies.
More such issues are coming soon. China seems to want a credit score system, with alarmingly ambituous and and political breadth... The Social Credit System.
Adtech companies and conglomerates (especially FB) are really hitting their stride. I wouldn't be surprised if they can score credit worthiness, insurance risk and other things using their web browser and app datasets.
Should adtech be allowed to service banks, insurance companies, real estate agencies and employers? If not, we should probably decide this now.
I don't know what the answers are, but credit score may be the place to start. I think approaching the problemfrom and identity/data protection perspective is fundamentaly flawed.
> Insurance is acquiring similar issues, though with very different mechanisms. As statistical inference improves, insurance ceases to be insurance... Risk gets pooled across ever smaller groups. The whole purpose of insurance is to pool risk widely. IMO, this is the problem the US' health policy architects underestimated. Insurance companies know too much to be insurance companies.
Insurance companies typically want the best of both worlds, to -know enough- to pool narrowly (or often, exclude high risk), but glean the benefits from wide pooling.
"this should be solely their problem" - from a legal standpoint, it is. The only reason it "isn't" is because the credit bureaus suck and don't move fast enough. I'm generally not in favor of using regulation as a blunt hammer, but I think a regulation that makes total sense is to strongly punish anything resembling a credit reporting agency (credit bureau or otherwise) that can't demonstrate RESULTS (not effort) in remediating errors related to ID theft.
The FCRA put a lot of measures in place to RESPOND to consumer complaints, but they don't work well and only matter when the consumer decides to complain and is willing to put the time in to do so. That's not enough - if a CRA can't demonstrate success, they should either not be allowed to exist or they should be de-certified. CRA's that can't meet that standard could still exist as businesses, but the shouldn't get the government protected oligopolistic designation they get now.
Notice how the solutions proposed to solve "identity theft" tend to be things that make it harder for the individual to engage in financial activity. Not make the credit agencies or financial institutions get their act together, but force the individuals to engage jump through more hoops to manage their own money.
I agree with your assessment here. But the first thing I thought of when I saw this headline was fixing the fact that SSNs are massively bad as authentication. Instead of giving people a number to authenticate, we should be using public key crypto and digital signatures. If the Equifax hack is the catalyst that pushes us to public key crypto instead of SSNs, then I'm all for it.
I totally agree. We need to throw our reliance on SSN out the window since the hackers are selling all of ours on the dark web as I speak. I like the idea floated out here or some other strong ID route such as SSH keys between 2 parties. All adult American SSN have been compromised so we have to move on to something else that offers stronger deterrents against hackers or ahole credit bureau agencies like Equifax who steal consumers financial data and make it broadly available for hacking.
> This is when a criminal defrauds a bank or other company by getting credit using your identifying information and then defaults.
ID Theft isn't just this. Illegal aliens use ID purchased on the black market to get jobs and pass ID verification. While they have those jobs, they have payroll taxes withheld, but don't file taxes leading to some Americans being hounded by the IRS.
Additionally, some American babies are assigned SSN's already associated with illegal aliens:
> Illegal aliens generally prefer SSNs that have not yet been legally issued or, failing that, the SSNs that belong to American children since these numbers can be used for years without anyone knowing it – except the IRS and the Social Security Administration.
> However, the Social Security Administration does not remove unassigned SSNs used by illegal immigrants from its database. That means the numbers are eventually assigned to newborn, American infants. Neither the Social Security Administration nor the IRS notifies American citizens when their or their children’s SSNs are used by others. In other words, the federal government has facilitated identity theft and protected the identity thieves.
> The main problem trying to be fixed here is "identity theft".
It wasn't a problem, at least it wasn't up until the point that creditors reframed it as "identity theft." It's fraud, plain and simple, and if it were treated as such, the burden would be on entities that have the resources to handle it (and who are also responsible for enabling it) instead of ruining the lives of normal people just going about their business. Oh, you loaned money to someone claiming to be me? I don't see how that's my problem. Sucks to be you. Maybe rethink mailing out pre-approved credit cards in the future.
> Banks should have to know who they are loaning money to and if they make a mistake, that needs to be solely their problem.
Just like any retailer who makes and delivers a sale over the internet without physical verification the issuers of credit should be held liable. this will mean getting instant credit for purchases and such will be very difficult but that is the price the lenders need to pay for the risk of having, not the consumer.
perhaps they will need to partner with local banks and such. I don't care. by default they should not be able to issue credit where the liability is on the consumer until physical verification is complete
“Bank Presidents and Officers must exercise great care in protecting the privacy of information they gather on people, because there are legal liabilities if a bank intentionally defames a person or invades the privacy of an individual”
This.
I once applied to my bank to take out a loan for my business and the questioning I faced was very vigorous and the process took almost a month. Contrast this with getting a Visa/Mastercard for almost equivalent amount-- the sales rep fills out the information in a minute in a big box store and the card is mailed to you within a few weeks.
Sorry you are wrong. SSNs and other identity mechanisms are an infrastructure provided by the government to facilitate business. It Should never be the responsibility of individuals/ business to validate identity. If there are flaws in the existing system that lends itself to be manipulated, then the solution should be that the government should fix it.
Edit: In my country we didn't have a unique id till a couple of years back. So everywhere you had to submit photocopies of your id proof and a nother of your address proof. Imagine giving copies of your id to the lowest ranking person of the business you are dealing with. You have extra challenges if you have moved recently.
SSN are NOT an identity mechanism or infrastructure to facilitate business. They are to facilitate tracking your contributions to social security. Businesses have abused them for their own ends because at one time social security numbers were the only globally unique identifier in common use.
That's exactly what they are. I don't understand who you're trying to fool here. It's a number, for social security, that is assigned to a person. It's poor as an identification method, so it's commonly used in fraud, but that's just hand waving to distract from the discussion about the purpose.
Don't think parent poster was trying to mislead. Sounds more like poster is complaining that SSNs got overloaded beyond their original purpose (as guids for the SSA) to being used for business authentication more generally and that because
they started being used for purposes they weren't originally intended or designed for, it ended up being a generally bad at it.
I tend to agree. Best practices are that we shouldn't use guids as authentication/security mechanisms in software systems because 1. they aren't necessarily random so it's difficult to prevent fraud as a result of guessing and 2. you can't rectify authentication issues (e.g. via rotation of authentication or adding additional entropy) without compromising the identification function see (https://tools.ietf.org/html/rfc4122#section-6).
We should never have used them as authentication methods IRL.
How in the world does the fact that it is an ID number in the Social Security system mean that it's meant to be used as an identity mechanism by businesses?
Is it only used by businesses? Don't you have to provide the SSN for your driver's license? If the government is using it as an ID across it's departments, then it is an ID.
Those are two separate statements.
1. It's an ID number in the Social Security System.
2. It's also now used as an authentication mechanism by many businesses (because it's relatively ubiquitous and banks, gov, etc. assumed that the SSN owner would and could keep it secret) :
a. accepting card payments on stripe (https://support.stripe.com/questions/why-do-you-need-my-date-of-birth-and-4-digits-of-my-social-security-number)
b. driving with lyft (https://www.lyft.com/drive-with-lyft under "What are Lyft’s requirements?")
c. also for bonus points take a look at what happens when you search google for "SSN for resetting" and marvel at all the banks that let you reset your password with your SSN.
It's a misquote if you parse the original statement as "NOT an ((identity mechanism or infrastructure) to facilitate business)" That would be removing important qualifiers.
It's not a misquote if you parse the original statement as "NOT ((an identity mechanism) or (infrastructure to facilitate business))". It's perfectly fine to simplify "Not A or B" into "Not A" when your argument is "Yes A".
In the context of godzilla82's wording, I think the latter interpretation is more likely, making it not a misquote. Even if that's mistaken, I doubt it was an intentional misquote.
In researching the matter further I find that I was mistaken. I was thinking of the Privacy Act of 1974, which stated: "no Federal, State, or local government could withhold a right, privilege or benefit from a person simply because the person refused to furnish his or her SSN."[1] Somehow I've believed for many years that it applied to private businesses as well, my mistake.
Having a personal relationship with the person you're loaning tons of money to so you know they are who they say they are? I know it sounds ridiculous.
And if your excuse is "well, we're too big to know our customers!" maybe you shouldn't be in the business of loaning money.
So if you move to a new town, you can't get a loan because the bank doesn't know you?
If you're an immigrant?
If you're a protected class?
The whole point of the fair lending act is that lenders have to use consistent lending criteria across population groups. Going back to the pastoral days of personal relationships with bankers is the wrong answer.
> So if you move to a new town, you can't get a loan because the bank doesn't know you?
If you are using a different bank in this new town, then yes, you're kind of SOL. However, it's not too wild to think of a way for credit history and verified identity from one bank branch to be stored in some kind of software system, which could share data between branches. The initial work in establishing trust is annoying, but verifying identity once you have some system in place is easy enough. A short phone or video call with someone who _did_ know you and works within the same institution would be a pretty sufficient way to go about it. Hell, universities have an even more archaic way of doing this: if you need proof of enrollment or a transcript then the university will send sealed snail mail to whatever institution needs the information. You can even request and deliver these yourself personally, if you want to.
Perhaps "personal" is the wrong word for the kind of relationship you want to describe though. Your relationship with the bank as an institution is independent of any SSN, they just track any credit or debt to your identity using it. There's no reason why a single number needs to track that kind of information, when the banks could just be required to verify their own knowledge of you themselves. At some point we have to admit that someone at the bank must know you, or be able to vouch that who you are is who you say you are. Even just a second check of a photo of you compared to a face scan would be more than what's verified now.
It's actually hard to understand how America has this problem because it was the USA that basically invented the concept of "know your customer" and the modern anti money laundering system in the 60s and 70s. Failing to do KYC is supposed to be a serious offence that can lead to jail time. So how is it possible that banks routinely don't know their customer sufficiently well that identity theft is a real problem?
Alice in Pittsburgh wants a $100K loan to go to college.
Bob in Hawaii wants to invest $50K at a 5% return rate.
Charlie in China wants to invest $50K.
Without banks - Alice & Bob fly across the country to meet, and Bob, who knows nothing about college, hopes the college is real & Alice will pay. Alice, who knows nothing about Bobs hopes he won't get really impatient after 10 years and rob her. They talk for 30 minutes and hope that short interview is enough to establish trustworthiness on both sides.
We then repeat the whole process with Alice & Charlie.
With banks - Bob invests $50K into the bank. Charlie invests another $50K. Alice gets a $100K loan from the bank. The bank already has channels to ensure Alice is trustworthy, to verify her admission/enrollment in college, to collect loan payments, to eat the loss and give Bob his 5% returns anyways if not repaid. Even though Alice pays back $12K every year, the bank has enough liquidity to give Bob $1K every month instead as he prefers.
In the context of the hypothetical, Bob and Charlie lend the bank $100k, which the bank keeps in its vault, for whenever the bank examiners stop by to check up on them. They then lend out $1000k as numbers in loan accounts. They put $100k in Alice's loan account, and periodically transfer numbers from Alice's account to the university bursar's account. They do the same thing for Dana, Eddie, Frank, George, Harriet, Iona, Jerry, Karen, and Lisa. Whenever someone comes by to check up on their money, the bank takes them back to the vault and points to the same pile of cash, and they leave satisfied.
Bob and Charlie get maybe 1% interest on their $100k, while the bank charges 10% on all $1000k of the leveraged loans. At year's end, the bank has paid B and C about $1k, and collected from A D E F G H I J K and L about $100k. If Bob, Charlie, or the bursar ever unexpectedly come around to make a withdrawal, the bank phones up the national central bank and says, "Yo. Boss says you need to come by and do that thing we talked about that one time. It's important." Then a truck shows up with very important pieces of fancy paper that the bank can give to people, so that they go away without getting mad. It's very important that no bank ever runs out of those, because then people wouldn't give them back to the banks to be reused, by giving them to other depositors!
It's all very complicated and important and not crooked at all. You can certainly trust those banks, because all their employees are clean and smell nice and speak clearly and wear good-looking suits.
But it is also important to realize that the bank does not need to know Bob or Charlie very well. It isn't really even strictly necessary that Bob or Charlie be real people. All that is necessary is that they have entrusted a symbol of their savings to the bank, to be used as the bank sees fit, without any direct oversight, in exchange for a pittance in interest. This is really only a good deal if you have so much money that your investments would otherwise overwhelm the capability of businesses to generate a good return on it. So banks have a few customers that deposit enormous quantities of cash with them, because the only other entities that can actually pay out a 3% return on that much dosh are national governments, state-partnered enterprises, and multinational mega-corporations. Bob and Charlie represent round-off errors. But there are a lot of Bobs and Charlies, and in aggregate they do help the bank make money, so they are tolerated, with a token amount of ass-kissing to keep them happy. And if one gets screwed over by accident once in a while, that's no big deal (to the bank).
The bank does need to know Alice and D E F G H I J K and L, but only just enough to figure out how much extra they need to charge to cover their default risk. The bank's major concern is that one of those people might actually be Maurice, who plans to default, but he is untouchable, because the bank does not know who he really is. But they know who he was pretending to be, so screw that guy; he shouldn't have let someone else pretend to be him without his knowledge, right?
So I'm not really certain that knowing all the insignificant peons would actually help. The fundamental problem with banking is that the (remaining) individual firms are too large for the median customer to matter to them at all. They have no intrinsic economic incentive to even acknowledge that a problem exists, much less admit responsibility for it, because their real business is aggregating investment opportunities that are too small to bother with individually into packages large enough to interest investors with colossal amounts of cash, and taking a percentage off the top.
But are you, as the customer, ok with having a personal relationship with a banker? Also, in a court of law, how would you define personal relationship?
How do you solve the case of a scammer loaning tons of money from a bunch of lenders and moving to a different state? The answer can't be "only loan money you know/trust," because that excludes newcomers to an area from loaning money.
>one time social security numbers were the only globally unique identifier in common use.
And now do you have other mechanism s? If you do, you should be using them, if you don't, then scrapping the only one is not a solution. Asking businesses to do verification on their own is definitely not a solution.
Those checks you talk about, involve using SSNs at some point. Also, these checks are not scalable.
I think, because you have not lived within a system without an id mechanism, you have no idea of the set of challenges you face as a business as well as an individual. Just think how would you prove to a lender your financial status. You would have to give him a copy of documents of all your assets (bank statements, property documents), copies of your tax returns.
Because as the previous commenter mentioned, you’re then in the position of needing to share out much more intrusive info to many more people. It’s also a pain in the ass from a customers standpoint given the statistical rarity of someone being impacted by ID theft.
Sure, a photo copy of your ID and your address might seem more personal but ultimately the SSN is just as personal because someone can ruin your life with that one number + your name. In that sense it seems like you are already giving out the most personal of information to some random employee at said business.
Those examples are for getting a phone or electricity connection. For a loan, you would have to give bank statements, income tax return proofs etc. And if that is not sufficient, you need to get your property apprised by "authorized" valuators!
> Should never be the responsibility of individuals/ business to validate identity.
Um, what? If you are doing business with someone based on an assumption about their identity (giving them a loan based on credit history, for example), it sure should be your responsibility to verify that that assumption is correct--that the person you're dealing with is indeed the one that all the data you have applies to. And if your assumption turns out to be wrong, the last thing you should do is blame it on the person who actually is the one all your data applies to.
> If there are flaws in the existing system that lends itself to be manipulated, then the solution should be that the government should fix it.
The government is largely the cause of the flaws in the existing system. The last thing we should do is expect the government to fix it. If private corporations are going to make use of information about you, it should be their responsibility to make sure that information is accurate.
> The government is largely the cause of the flaws in the existing system. The last thing we should do is expect the government to fix it.
“The software developers are largely the cause of the bugs in the existing software. The last thing we should do is expect the developers to fix it.”
I mean, I do believe private businesses should be held responsible, but one way to make them do that is by regulating them through an agency with higher authority, which probably means government.
> The software developers are largely the cause of the bugs in the existing software. The last thing we should do is expect the developers to fix it.
Flawed analogy. Software developers introduce bugs inadvertently, and they have both an incentive and the knowledge to fix them. (In cases where that is not true, bugs indeed do not get fixed, and we should not expect the developers to fix them. That is why open source software is important--so I can fix bugs in software I use that the developer can't or won't fix.)
Government introduces bugs on purpose, to serve special interests, or out of ignorance, because government officials who make regulations are clueless about what they are regulating--but they don't get penalized for making clueless regulations and they don't get rewarded for fixing them. So government has neither an incentive nor the knowledge to fix bugs it introduces. (And the analogue to open source software in this case is libertarianism: if the government can't or won't fix bugs in regulations, it should not regulate in the first place.)
> The original purpose of the SSN was to enable the Social Security Board to maintain accurate records of the earnings of individuals who worked in jobs covered under the Social Security program. The card was never intended to serve as a personal identification document—that is, it does not establish that the person presenting the card is actually the person whose name and SSN appear on the card.
So maybe there does need to be a federal or state identification method, but because we lack a legitimate method it should also be the responsibility of the individual to do due diligence that the person they're giving credit to is the person they say they are.
> it should also be the responsibility of the individual to do due diligence
How? ask them to carry a copy of their address proof and id proof? As an individual, do you feel ok to have copies of your id and address proofs in the hands of low level clerks?
Exactly this. I’ve been on the recieving end of ID theft before. It was a pain in the ass for a small time, but mostly resolved with a few phone calls and 3 letters sent out. Still this is better than what is being proposed in this thread.
I’d really prefer not to need to carry around utility bills and other nonsense every time I need to conduct business. I’d also bid those folks consider what happens when you are homeless or otherwise don’t have a fixed address with utility bills in your name.
> Today, the Senate Commerce Committee questioned former Yahoo CEO Marissa Mayer, Verizon chief privacy officer Karen Zacharia and both the current and former CEOs of Equifax on how to protect consumers against major data breaches.
So, ask the person who lost 3 billion accounts, the person who is stuck with the mess from losing 3 billion accounts, the person who lost 145 million SSNs, and the person who is stuck with the mess from losing 145 million SSNs how to protect against data breaches?
I appreciate the relevance of those individuals to data security, but they're clearly not subject matter experts. If I wanted to secure my home against burglars, burglary victims probably wouldn't be my first consultation.
That said, the mostly fixed nature of SSNs and their intrinsic potential for introspection is a huge liability and we should move away from them.
[edit: Karen Zacharia may well be a subject matter expert here, it's a little unfair to group her in with my rant.]
Burglary victims should be your first consultation, because most people who weren't burgled were probably just lucky, or were burgled but haven't realized it yet.
If there are 10 houses, a burglar tries to get into all 10 but only succeeds on 2, then you should talk to the 8 owners who successfully protected their houses. If there are 1000 houses, a burglar tries to get into 10 but doesn't tell you which 10, and succeeds on 2, you should talk to those 2 owners because they know for a fact what can fail. 990 owners will just say "do what I do" without having any evidence that their strategy is actually safe.
Or, you know, maybe stop talking to homeowners, victims or not, and start talking to people who make locks and safes. Actual subject matter experts rather than targets.
CEOs, at best, will be proxies for whatever security personnel they have on staff and we have no way of evaluating the credentials of those security staff. At worst, they'll be advocating for policies that reduce their exposure/costs at the expense of greater overall fraud costs.
The senate should use their own knowledgeable proxy in this case. NIST has already shown itself capable of creating security standards of a reasonable quality. Run another public competition for a national ID system capable of replacing SSN and let real security professionals propose (and then debate) a way out of the current mess. Senators can then codify the results of that process into law.
> Or, you know, maybe stop talking to homeowners, victims or not, and start talking to people who make locks and safes. Actual subject matter experts rather than targets.
You want to talk to the burglars. They already know the locks and safes and likely know even better how to break them than the creators. In this case, you want to talk to hackers.
The reason Congressional panels do things like this, is to put on a good show. They like to be seen dealing with higher level matters/people as a demonstration of stature.
No - the problem here isn’t hacking, it’s allowing a fixed, easily learned number be a sole proof of ‘identity’. SSNs were used in identity theft long before hackers.
Technically, it is still only one data point: we should probably run some kind of controlled study to verify that this is actually a problem before we go overboard.
Ok, so why didn't they? Should we ask TransUnion what went wrong at Equifax, and what laws and regulations are needed, if any? Or should we ask Equifax?
The parent post was sarcasm. Equifax did not follow security practices that are common and widespread in the industry. And by industry I don't mean credit reporting companies, but companies that have systems connected to the internet.
Make the liability for data safe keeping in the company that holds the data. You don't see medical records have issues like this, because the laws surrounding it is quite fierce.
I will actually answer your question, because Equifax has already explained:
One guy was supposed to install the update, but forgot for some reason. Everything was his fault.
Did you expect anything else from a company so incompetent? With a paltry $3b/year, they can't be expected to pay for more than one person to install updates.
You force companies to secure data by giving out enormous fines to the company and criminally charging the negligent or incompetent corporate officers.
It's 2008 all over again. The US/International shit show we call a media tried to make Occupy seem like lost-goalless hippies. It was the ghost of Nixson. You know why people were mad? All those executives at the highest levels committed fraud, perpetuated fraud, created a culture from top to bottom of fraud where people who issued loans were encourage to forge documents, make up incomes and sell people on terrible mortgages. Then the media blamed those people instead of the people who put that system into place.
None of those executives went to jail. None of them faced any real fines. None of them faced any real consequences. Many of them walked away with millions. PNC bought National City Bank for $5 billion and got a $5b tax credit (National City wasn't allowed any TARP funding). Big banks knew 2008 would happen, and when it did, they used it to buy all their competition at the expense of millions of Americans who lost their homes, retirement savings, etc.
It doesn't matter if it was Bush or Obama or Hillary or Trump, because no matter which puppet is on stage, no one in the 1% who either allowed such terrible things to happen or made them intentionally happen or profited from things that happened to have fallen into their laps; none of them face any real consequences. The executives who sold off Equifax shares getting off without any wrongdoing is a perfect example. It's obvious they knew. They made money and they will never and can never be held accountable in today's world because they control, to various levels, all the world leaders and banks.
Is there a transcript of what kind of questions were asked? I can imagine useful information being gleaned by questions like, "what was the nature of the attack, how were people able to get in, what exactly happened here, how did you store the data, why were you confident it was secure, etc?" That gives you a starting point of what the facts are, what was really experienced. When you are working from a ground zero of zero knowledge (and I bet most of these committee members have zero knowledge, if not all of them), it's good to establish facts of what happened before figuring out solutions.
I was burglarized by someone who kicked my front door down. Everyone who hasn't experienced that thinks it's important to fully gate off your back yard. My first-hand experience tells me that that advice wouldn't be sufficient to secure my home. Why would you prefer speculation over experience?
One of the houses I lived in had a really strong lock on the front door. The lock wasn't really the problem, though: the door is made up of four float glass panels. Of course, even if it was a solid wood door, there's another problem: the bit the lock slides into is held onto the frame by two screws.
It's crazy some door knob/dead bolt kits come with screws that just screw into the jamb. Little 3/4" screws. You really need those 3"+ screws that go into the studs. I'm sure you do this now given your experience but if you ever get a kit that doesn't come with screws like that they should definitely be purchased separately.
It truly is crazy. Every door frame to the outside in my house used to have these tiny screws. It's so trivial that even I who massively struggles with the simplest home improvement tasks was easily able to replace the screws with much larger screws that go into the studs. Yet it seems to be standard practice to use these tiny screws. The other thing I recommend is getting security film for your windows and have it anchored to the window frame. It doesn't prevent anyone from breaking them but it makes the process take much longer and be much noisier.
Politicians need to look like they are doing something. It doesn't matter if they actually do anything. If they look busy, they are busy and are obviously working hard and should be kept in that position.
> So, ask [the people who lost billions of accounts and SSNs] how to protect against data breaches?
It's worse than that. These are the very people who profit on trading in data linked to identity information. It's like asking the fox how to secure the henhouse, after he ate all the hens.
Any new identity scheme has to be something that does not rely on security practices of any third parties. The public component of the identifier must be useless as an identifier without the private part held only by the individual.
> Multiple times throughout the hearing, Brazil’s Infraestrutura de Chaves Públicas system of citizen IDs through digital certificates came up as a potential model for the U.S. as it moves forward. In this model, a certificate lasts for three years at maximum and can be used to issue a digital signature much like written signatures are used now. Unlike its counterpart in the U.S., these identity accounts can be revoked and reissued easily through an established national protocol.
I believe most Americans are opposed to a national ID, so SSNs have been used as a (utterly terrible) workaround. Some reasoning for this, to quote an ACLU article on the subject[0], 'Former Senator Alan Cranston has described the national I.D. card as "a primary tool of totalitarian governments to restrict the freedom of their citizens." '
The Brazil solution mentioned seems pretty reasonable though. I like the built in expiration and ease of reissue. Anyone have experience with or thoughts about this sort of system?
> Former Senator Alan Cranston has described the national I.D. card as "a primary tool of totalitarian governments to restrict the freedom of their citizens."
Ugh. National IDs are common in Europe as well as other places where identity theft is mostly an exotic concept featured in the news about America. It's hard to call Belgium a totalitarian regime.
Whereas in countries without national IDs, people are forced to provide personal details to scores of vendors big and small who use these details for their purposes and may lose them to online criminals. But hey, we are protected against a hypothetical tyranny.
On the other hand, there are countries that use national IDs to restrict the freedom of their citizens.
You can't base your reasoning about something like this solely on what's happening in some countries right now. That's how SSN mess started in the first place. They weren't intended as a global identifier, there were concerns that they will be used as such, but those concerns were ignored.
Also, I'm not convinced that spinning up a new ID system is necessary to solve the issue at hand.
Isn't it legally required that you carry your ID at all times unless you are within 200 meters of your home? That would horrify most Americans. I know it is not in reality, but it sounds totalitarian.
> Isn't it legally required that you carry your ID at all times unless you are within 200 meters of your home?
In Germany there is no such requirement, even though many Germans also think that you have to carry it with you. But the Ausweispflicht (Obligation of identification) only means that you have to own an ID, but you can leave it home most of the time (which I do).
When I lived in Germany I by mistake didn't check into a tram once and was discovered by a ticket inspector. Long story short since I didn't have ID on me I ended up getting escorted by two police officers back to my house to show them my passport.
So yes, you don't have to carry ID on you in Germany, but only in the most pedantic sense. You'll just get a free police escort back to where you keep your ID in case you need to identify yourself. That hardly qualifies as not needing to carry ID when going about your business in the sense that Americans would be familiar with.
But could they have forced you to identify yourself if you hadn't broken some rule? I get it was a mistake (which I've made in the past as well), but still, the US police will probably want to identify you as well if they have reason to fine you.
I'm not sure, but in several European countries the police is able to ask you for your ID when you're going about your business, there's no limitation that it must only be in relation to an offence.
Thus any interaction with them could result in you needing to put a stop to anything else you're doing as you're escorted back to your house to fetch your ID, unless you're carrying it in the first place.
But the example I provided wasn't such an example, since there was a fine involved. However just having compelled ID changes even that situation. If Germany didn't have that I'd probably been able to just pay the fine on the spot without need to establish my identity.
I don't believe there's anything equivalent to that in the US. Furthermore since there's no national ID system they don't even know if you have a driver's license, social security number or passport, so their options for compelling you to produce ID are limited.
In most US states, the police can't force you to provide a physical identification card period. At most, they may be able to compel you to verbally identify yourself, e.g. by providing your name and address.
The idea of being legally required to provide government-issued identification to a law enforcement official under any circumstances is simply verboten in the US.
>The idea of being legally required to provide government-issued identification to a law enforcement official under any circumstances is simply verboten in the US.
As long as you're not within 100 miles of the border inside the "limited civil rights zone". [1]
Personal experience is that border patrol officers feel no need for "probable cause" before pulling you over and searching your vehicle.
In such situations you have to identify yourself somehow, that's what obligation of identification means.
I was with a friend in the same situation (he forgot his ticket and had no ID). I just had to witness that he was indeed the person he said he was and it was fine.
There are many situation where in the US the police will immediately arrest you while the German police will just write down your identification and let you go for now. I will rather take the German approach.
Ironically, if you drink alcohol in the United States, you're essentially forced to carry your ID at all times because bars and restaurants check ID aggressively (even for people who are visibly much older than the legal drinking age).
So even though, as an American, I'm not required to carry my driver's license around at all times, I almost always do, and many of the few times I've left it at home I ended up regretting doing so.
Based on my visits to Europe I'd imagine Germans would find this whole situation ridiculous.
I should clarify that I was talking about Belgium which was the country the parent comment used as the example. I am aware that the laws are not the same across EU.
I think it's only fair to compare that the to _de_ _jure_ status of many modern day US states.
More than 23 states require that someone be able to prove their identity (probably with a government-issued card) "if there is reasonable suspicion of a crime"[1].
Given that a book called "Three Felonies a Day" which cites facts such as the number of crimes in the US Code, the fact that most people haven't even started reading it nor have it memorized, nor have the legal skills required to determine whether (if it's even deterministic without a judge/jury) they have committed a crime, I would argue that a clever police officer probably has the ability to use that law as a tool to create a crime where none existed before.
Yes. People don't though. In practice people do tend to have a driving license in your wallet.
This joyous setup is the result of the Schengen zone. When national borders were "abolished" (not really, they came back due to the migrant crisis) the way governments got police and immigration forces on board with it was to say that everyone had to have their ID on them at all times and an ID check could be done anywhere at all within the zone. I've never heard of anyone getting in trouble for not having ID on them though.
That's a log of myths and misinformation spread here. In the EU you only have to carry an ID while you're crossing a border. If you stay in another country of the EU you should have your ID available somewhere in that country.
But if you actually have to carry around your ID all the time depends on the laws country you're in. Here in Germany you don't.
It is the obligation of everyone travelling within the area to be able to show a fully valid form of personal identification approved by other Schengen states.[98]
and
Although travellers within the Schengen Area are no longer required to show documents at an internal border (although there have been some controversial instances when they have, and it is fairly common at major land border crossings with Switzerland), the laws of most countries still require them to carry identity documents
Your interpretation of this doesn't seem to be correct. The whole point of Schengen is that you don't have to show ID at internal borders, which were supposed to cease existence. Rather, you have to be able to show your ID at any time whilst travelling ... where "travelling" is such a general concept that it effectively means at all times unless you are e.g. at home.
Year 2011, I was touring Berlin with a friend, and a policeman asked us to show our ID.
So, tourists need to carry passport at all times?
How'd police know who is a tourist?
Spotting tourists is usually not hard for someone who lives at the location.
Additionally, it could just have been chance.
In general, yes, you should have your ID/passport on you, but there is no real punishment for not having it other than being required to later show up at a police station and/or being escorted by the policeman to your apartment/hotel to show your ID.
A bigger problem is usually not having a drivers license on you, that gets some of the people in the police riled up (but again, no real punishment as long as you show up later at the police station)
It’s required but many people don’t do it. If you get into a situation where police stops you and you don’t have your ID on you, just tell them you forgot it at home or you didn’t take it with you because you just went out for short walk. Police should then drive you home where you show them your ID.
> (…) It’s required but many people don’t do it (…)
Not in general.
In Germany you just have to own an ID be able to produce it when legally required. However only under a very narrow set of circumstances it is legal to ask for an ID.
The police may ask for an ID only during a "Identitätsfeststellungsverfahren", which is only legal to do if you're suspect of a crime or if you happen to be within an area of specific public vulnerability, i.e. crime hotspots designated for vetting operations. Other than that it is in fact illegal for the police to ask for your ID. But even under that circumstance it is absolutely lawful not to carry an ID with out; worst case scenario is, that the police has to escort you to whereever you have placed your ID and you be able to show to them there. Depending on circumstances this might create (major) inconveniences, but has no legal consequences.
In addition to that there are certain business transactions where an ID must be produces. For example when checking into accomodation, closing a contract with a telephone company (that's new since this year, and totally ridiculous) and opening a bank account.
In this context wouldn't the EU be a better entity to compare against the US federal government? In that sense the ID situation in the US is pretty much the same as in Europe (each member state issues its own IDs), except the US has an extra ID number at the federal level that was never even intended to be a federal ID number (and is consequently terrible at being that).
No, at least some of the IDs in Europe is valid in all or most of EU. In Sweden, the ones given out by the police is valid in EU, while for example drivers licenses is not (as an ID. They are valid to drive with).
In most (all?) US states the DMV or equivalent issues both IDs and driver's licenses, with the side effect that if you have a driver's license it is also your state ID. So the fact that they are separate in the EU is tangential. The term "driver's license" in the US is synonymous with both "ID" and "driver's license" in the EU, and can be compared to either.
Who has authority to revoke the ID? Can someone get angry and un-citizen me? Will the process of getting re-identified take a day, a week, a month, years? Will I be able to continue working in that time? We need to build with these security concerns in mind. The reason SSNs are failing is that security was never supposed to be a concern for them, so no thought was paid to it.
No, the ID's cannot be revoked, and they are assigned at birth or at the moment you apply for immigration. There are some efforts to allow stripping dual-nationality criminals of their citizenship, but that process requires both a judge and a cabinet minister to sign it, and the ECHR will not allow people to be stripped of their only citizenship. And even in those cases, the national ID's will not be revoked, just invalidated.
So let's skip all the hypotheticals about having to recover one, unless you can point to an actual case from the EU, instead of Hollywood?
The clear answer to that would be only you can revoke the certificate either by signing or by going to something like the post office/DMV with 1-2 additional pieces of ID (for cases where your card is lost/stolen). Also the cert is only for SSN like things and proving your identity in those cases not that you're not a citizen if your cert is out of date. So you couldn't say open a new bank account or apply for a new loan but everything else just keeps working.
> The reason SSNs are failing is that security was never supposed to be a concern for them, so no thought was paid to it.
NO.
The reason SSNs are "failing" is because they have been adopted by the public and private sectors because they are a de facto "username".
SSNs serve the same purpose as driver's license numbers and passport numbers, only they have less authentication, but are still more common (because most young children don't have DLs or passports).
IDs get lost and stolen sometimes, so there are established processes for that. In Germany, they cost 28.80€ to replace and take 3-6 weeks to be manufactured. You can continue working normally, and generally there are is no impact on your daily life. The process takes less than an hour, excluding waiting time.
Forgive my ignorance, I only (sort of) know how this works in the United States. How do Belgian creditors verify the creditworthiness of an applicant who claims to be the individual identified by a particular credit history?
Am I wrong to presume the Belgian National ID is not used for identification and verification by Belgian creditors?
I also wonder (just thinking out loud, not part of my question) what would prevent US creditors from shirking the responsibility and withholding the required resources to establish an identification and verification system which does not rely on a national ID (different from a Social Security number).
EDIT: remove extraneous word, add parenthetical to last sentence.
There is a governmental agency, part of the national bank, that keeps track of credit. Information is kept for three months after a successful repayment of credit, one year after a delayed yet complete repayment, and 10 years after a default.
Only credit information is kept, nothing regarding defaults on rent, unpaid medical bills etc...
Getting a record of your own credit history is completely free, either online, by writing a letter, or just stopping by the bank.
Yes, national ID is used for that purpose. I've only very rarely heard of identity theft by strangers, there are many hoops to jump through, like photo ID and a physical letter sent to the corresponding address for verification.
What would prevent that? Privacy laws. Keeping and sharing blacklists is not forbidden but regulated in Europe. Creditors also are obligated to use the central credit agency.
I'm not Belgian, I just had to deal with them extensively, so I can't reply. But the credit score is not related to the existence of the national ID.
I know that the monstrous institutions thriving on the FICO score are an exception. In most countries, it's the usual payslips, bank statements, stuff like that. No one needs weird stuff like secured credit cards or asking their relative to "piggyback" on their credit score.
I know that the US credit agencies tried to "educate" the local business communities in some countries on the importance of the credit score and are currently occupying a small obscure niche.
A national ID is by no means required for something like this. If businesses wanted to, they could already identify us uniquely enough to pool all their information and be able to do something like that.
Here's a relevant pop science video by CGP Grey[0] that explains all the various problems with SSNs. My favorite part is the fact that until quite recently (2011) you could decrement or increment a given SSN by 1 and get another valid SSN, since they were sequential.
Unpacking this for others who scratched their heads like I did:
There are 1 billion possible social security numbers. There are roughly 300 million people in the USA. So roughly 1/3 possible SSN’s is currently in use.
Q20: Are Social Security numbers reused after a person dies?
A: No. We do not reassign a Social Security number (SSN) after the number holder's death. Even though we have issued over 453 million SSNs so far, and we assign about 5 and one-half million new numbers a year, the current numbering system will provide us with enough new numbers for several generations into the future with no changes in the numbering system.
A couple of years ago I accidentally filed my tax return with a typo in the SSN. I was stunned to find that the IRS accepted it. It took months to fix.
> I believe most Americans are opposed to a national ID, so SSNs have been used as a (utterly terrible) workaround.
The federal government was never intended to administer services or benefits directly to all US citizens. The US Constitution enumerates a very limited set of federal powers: defense, foreign policy and regulation of interstate commerce, none of which concerns the average citizen day to day. It was intended for state and local governments to directly serve the people in almost all circumstances.
The New Deal was a terrible imposition of big government on the country and we're dealing with the cascade of problems and constitutional issues to this day, SSNs being a very visible example.
The role of the government has certainly evolved since the 18th century, and thank goodness we're not stuck with a union with a weak central government. Do you really look at the balkanized, fractious EU and think to yourself, "Gee, I wish we had that"? IMHO the New Deal didn't go nearly far enough.
Not OP, but I actually do wish that, yes. I think a lot of the problems we're having with political deadlock on the federal level these days boil down to pulling too many divisive issues onto that level, where the resolution, whichever way it goes, applies to over 300 million people - so you end up with a large dissatisfied minority more often than not. Specific issues aside, it doesn't strike me as particularly democratic, either; and I'm not sure representative democracy can even meaningfully scale to the point where legislators ostensibly "represent" millions of people at once.
OTOH, if we had more federalism, I think the West Coast states might have been implementing their own full-fledged public healthcare system right now, instead of trying to come up with some compromise that the other half of the country can maybe accept (like ACA).
All that said, I don't see a problem with national ID. It's just as useful to the states as it is to the feds, and it's clear that something like that can only be run by the feds.
Do you look at the balkanized fractious USA and think to myself, "Gee, I wish we had that"? Endless wars, being rules by people who live thousands of miles away and don't understand your states' needs?
>and think to yourself, "Gee, I wish we had that"?
No I think "why the hell didn't they put a sunset provision in all those bills?"
As an aside, one could construct a pretty good argument that the new deal was the result of all the Europeans who got off the boat in the prior decades throwing away freedom they really hadn't come to appreciate in exchange for the government playing the role of a lord who has some responsibility to prevent his peasants from hitting rock bottom (lest they revolt) with the catch being that said lord also has a ton of control over their freedom.
You don't engage in interstate commerce on a day to day basis? Do you only eat food grown in your own state, sold by local businesses who don't operate in any other state?
So what? People who live in the EU engage in inter-state (-nation, I mean, to disambiguate) commerce daily as well, and that seems to be going no worse over there than it is over here.
I don't really see your point. Practically speaking, I only food sold in my local grocery store. Sure the grocery chain probably really does take deliveries directly from other states every day, but I'm not directly involved in the interstate portion of the supply chain.
There are a number of issues that contributed. Predominantly a lack of clarity on federal vs state power which stems from a combination unnecessarily high barriers to change (other countries tend to change their Constitutions rather frequently) and a lack of accountability (very long election cycles).
The patchwork nomic-style lawmaking that leads to eventual entrenched dysfunction and resistance to reform was assured. The US will not likely last half as long as Rome. We're 1 economic collapse away from fractionating into new aggregations.
Do you have an opinion on the correct balance between state a federal powers, and how long ought an election cycle be - does the adding a ballot based recall mechanism change things?
I'd argue our style of law making is no different than other western democracies. How do you feel law making should be different?
> on the correct balance between state a federal powers, and how long ought an election cycle be
The US doesn't have mechanisms for removal through accountability. This would mediate any need for an optimal cycle (which doesn't exist due to factors like breadth of initiative). Legal controls on "good faith" grace periods would be an effective control, but we don't even get that due to corruption. The US legal system has festered for too long imo.
They could require the passport right now. Financial institutions want to loan money to everyone with low friction, if they think they will make a profit.
Brazilian here, currently attending the Brazilian Symposium on Computer Security, and today's speakers include the people behind this proposed national ID (it's not widespread yet).
If you have any questions I can relay it to them directly.
New Zealand has RealMe (https://www.realme.govt.nz/) which is an opt-in system you can use to identify yourself when interacting with various government departments and other entities.
RealMe is a shitty non-compliant SAML2 (not really) identity provider that's impossible to interact with correctly. I worked on a contract where RealMe was giving us different unique IDs for the same people. It's a joke and a piece of rubbish.
It's from the government who brought you Novapay and it's a piece of shit. No one uses it to manage identities and you don't really need to because there are only 4 million people there anyway. Their problem set is much more manageable.
Please never use RealMe as a real world example of anything done right. Please also never use RealMe if you can avoid it.
I think I have 2 RealMe accounts, and they're linked to different services, I have no idea which ones though. I'm not really sure what's up with them. The only government service I really use online is the IRD, who don't even use RealMe, they have their own login system.
NZTA don't even bother, and just require your drivers license number and version, which is useless security, I could change ownership of anybodies car, just to be a dick, or possibly even to steal a car.
RealMe is a RealMess. I find it's usually easier to just ring up the relevant department that requires me to login to RealMe.
New Zealand is a bit funny because people don't (or didn't) want a national identity system. There was public concern when photo drivers licenses were introduced because they might become a de-facto national ID card.
The privacy commissioner (that's a thing) had this to say:
"the proposal to oblige drivers to carry the licence at all times while driving would mean, in effect, ... provide ideal conditions for government agencies, police officers, retailers and other businesses, to ask for the card as standard identification in a variety of dealings unrelated to road safety." https://privacy.org.nz/news-and-publications/reports-to-parl...
Which is has. Every time I've been pulled up, or talked to, by the police for more than 30 seconds, they've asked me for my drivers license, regardless of whether I'm driving, or walking.
Indeed. Which means they have the worst of both worlds - hard to hide your identity and no common standard for everybody. So now there's all kinds of alternatives - licence, passport, 18+ card, birth certificate(!). RealMe is pretty nice from the user's perspective to avoid all that crap.
It's funny in light of all the "cars are freedom!" posts in the Bob Luntz post that is also up on the front page, but we DO effectively have a state-level ID system in the form of driver's licences.
The idea that people have a single, unambiguous identity is fallacious, in my opinion. If you're interacting with people, you usually only need their identity for the purpose of that interaction. The main place it becomes critical seems to be when you have a system that is driven by number bias rather than consideration of reasoned, adaptive alternatives.
Ask anybody who immigrated to the US, it's a royal pain. (Especially since you have global brands - like e.g. Mastercard - incapable of referencing their data from outside the US).
You start with a secured credit card for $200. Next, you buy a clunker of a car for all-cash. At that point, you have enough history to get a CC with $500-$1,000 limit. Now you pay everything through that CC. And make damn sure you're always 100% on time - a single slip costs you a lot of time setting up that history. After a year or two of that, you usually get a CC covering one or two months of income. Keep building.
You can also go with capital one which has an unsecured $500 credit limit immigrant credit card. Citibank also had a program for new immigrant credit cards. The citibank one references your current income, I got a card with a $10k limit.
In the USA, what builds credit scores is showing a pattern of using revolving credit and servicing the debt over a period of time. You are penalized if you use too much of your available credit. You are also penalized if you use too little of it, as I found out when I paid off the balance of the one remaining card that held a balance, and saw my credit score hit by about 15 points shortly thereafter. There are other rules, too.
Basically, I can only conclude that we are encouraged to be 'good citizens" by borrowing money and paying interest on it while slowly paying back the principal. People who live on a cash-only basis, which was considered to be a respectable practice not that long ago (borrowing was shameful) have terrible credit scores.
So what, you may ask?
There are very real and increasing disincentives to having bad or no credit. Creditworthiness (in the form of a nice, easy to understand number) is being taken more and more by various entities as a sign of responsibility and even good character.
A credit score is now used by some entities, beyond the mainstay car dealers, to judge risk and character: apartment rentals and employers, to name two.
I'm not suggesting that all employers and apartment management companies do this, only that the trend (I have no citations but it should be searchable) is on the increase.
The bottom line is that in the USA today, credit scores depend on how - and how much - you borrow and repay.
Furthermore, the higher your credit score, the better you are treated, to a degree: better rates on loans, no problems getting a job (all other things being equal), and so on. The opposite is true for bad scores.
This is one of the many ways we are corraled into greasing the gears of the economy, and it is a wasteland for cash-only operators (unless, I suppose, they have a huge amount of cash).
>>Basically, I can only conclude that we are encouraged to be 'good citizens" by borrowing money and paying interest on it while slowly paying back the principal. People who live on a cash-only basis, which was considered to be a respectable practice not that long ago (borrowing was shameful) have terrible credit scores.
Welcome to the new consumerism.... Being Thrifty, having savings, and generally being responsible with your income is bad. The Government does not like it and punishes you with low/no interest on savings and inflation that outpaces that savings, Banks hate it because they would rather you spend spend spend so you need their loans to live above your means so they can not only get interest but maybe you will also over draft on your checking and they can kill you in fees.
Retail shops hate it because they need to sell you increasing amounts of cheaply made poor quality product you must replace every 12-18 months
The economy lives and dies with debt. If everyone started saving and living with in their means tomorrow the national economy would come to a screeching halt and we would have a depression that would make 1929 looks like a boom year
You don’t really need a history. I.e. it’s very possible to get around just fine without credit card or loans. Most people I know in continental Europe just have debit cards and only buy things they have enough cash in their bank account to afford.
The only exception is mortgage which is usually the only loan people take their entire life. And it’s possible to get it without having a credit score. You’ll need your complete history of employment and addresses and based on that bank can borrow you money. Perhaps car leasing is another loan people might take but that works similar way.
Borrowing money to buy everything seems to be an American fetish (but also present in U.K. which is most America like part of Europe and Asia, not continental Europe though). It always seemed insane to me to have to borrow money from bank to buy a latte or groceries.
Having my consumption expenses separate from my actual bank account is quite nice - it means my bank account statement gives me a quick summary of what I spent this month (x went to my mortgage, y went on utility bills, z went on buying things) and then my credit card statement has the details. You could see it as borrowing money for your latte but you can also see it as being billed at the end of the month for your lattes which is normal for many things. In principle I'm all about living within your means, but really why wouldn't I do things this way and get a month's grace on paying for everything and free plane tickets every so often?
I get the same thing with prepaid debit card. I use Monzo which sends me push notification every time I buy something and I can see my weekly / monthly / annual spending habits per category (utilities, groceries, entertainment, eating out etc). The credit card is absolutely not needed for this and most modern banks give you very detailed summaries like this via their web / mobile interfaces.
I've got a direct debit set up to my bank account, so there's no risk of accidentally not paying (of course it's possible to overdraw my bank account, but that would be possible when paying by debit card as well).
Yes I had similar setup when I had credit card in the past (when I worked in Hong Kong I had to open bank account with HSBC and my account came with Visa credit card, the debit card they issued was not Visa or MasterCard so did not work in many stores so I used credit card mostly).
It was annoying as even though I setup automated direct debit I simply didn't have peace of mind. I don't trust HSBC systems to be bug free and a bug in their software which would not process by direct debit is something I'd keep worrying about. Much better not to have this additional subconscious stress.
But if you are in UK or Germany or country like that there is no need for credit card really. Debit cards are ubiquitous and work everywhere (UK banks will give you a proper Visa/MC debit card, not some Mickey Mouse debit card which only works in ATMs).
The same way you do now, as a new adult: apply for a very low-limit credit card, get an older relative to co-sign a loan for you, etc. Over time you build history that shows you are (or are not) trustworthy to lend to.
This is not a new problem. The solution is the same as it is today, you must build a history with small limit revolving lines, cosigners and guarantors.
The confusion you have here is that you have the wrong conception of "identity". You are assuming there is a single "authoritative" identity established by your physical being, and that is the fundamental error here. You can't refute that by simply assuming it again.
I'm not the same person I was when I was 30 years younger, and I'm not the same person here that I am in person. Those differences are differences in Identity. It doesn't matter if you want to call the 'different facets', because the only thing that matters is that they are distinguishable, and thus not the same identities. Your understanding of Retra is as much an understanding of me as it is an understanding of 2-year-old me.
There are crypto solutions that could make his much more interesting, such as bling signers, identity based encryption, zero knowledge proofs, etc. Most of the downsides could be worked around, if we innovate a teal solution instead of something off the shelf.
Certainly national IDs are a feature of totalitarian regimes, but I don't see how they necessarily lead to one. Plenty of free societies in the world have national IDs and live quite democratically.
If you replaced SSN with a universal ID, that would imply that anyone filing a tax return would need one.
The purpose of voter ID laws is to suppress voting by poor people, especially African Americans, who lack ID because they do not drive, or have a difficult time meeting the standard of proof for getting an ID, or have difficulty going to the one DMV that supports their geography an hit away without a car. It’s the most recent of techniques used to suppress voting since the poll taxing and literacy tests of the reconstruction era.
Unfortunately my comment wasn’t well-received, but that doesn’t take away from the reality. A federal ID, unencumbered by the bullshittery imposed in many states, would be opposed bitterly.
I would prefer a smart token/card with a PIN on it.
And the government should not do anything stupid like try to put a GPS on it "for security purposes", which even if it was technically a good feature for that and not just another backdoor through which intelligence agencies can spy on everyone, it would kill the whole idea immediately.
The problem is if social security number is used not only for identification but authentication. Knowing someone's SSN shouldn't ever get you anything: SSN could as well be public information, ideally. I don't know about the US but where I live, bank account numbers are effectively public: you could publish yours on the internet and all people could do is put money on your account. The bank will then require official authentication if you wish to use the account number to withdraw money.
Using an unique identification number for authentication is authentication by proxy. Yes, it's highly likely that only the right person knows his own number but never guarantees anything.
Make authentication easy and solid and the bar for frauding through stolen identity goes up.
What we really need are private keys, stored in hardware, like secure enclave. Whenever someone wants a proof of your identity, they ask you to sign a certain message with a timestamp.
> Multiple times throughout the hearing, Brazil’s Infraestrutura de Chaves Públicas system of citizen IDs through digital certificates came up as a potential model for the U.S. as it moves forward.
That made it sound as if every Brazilian had one of these, and it were the main citizen ID. That's not the case.
Here in Brazil, the main ID is the RG (Registro Geral), which is an identity card made of paper, issued by any of the 26 states (plus the Federal District). Since it's issued by the states, a single person can have more than one RG.
We also have the equivalent of USA's SSN, here called the CPF. Like the SSN, it's used as the person's tax ID, and is a national number. It's also issued as a card made of paper, but unlike the RG, it cannot be used for identification, since it has no picture or fingerprint. For simplicity, if you already have a CPF number when your RG is issued (or re-issued), you can have the CPF number printed on the RG card.
It's with the CPF that the "Infraestrutura de Chaves Públicas" (ICP) comes into view: you can get a certificate associated with your CPF, and use it for instance to sign your taxes. But it's not required, and most people don't have that certificate, or even know that it exists.
In my opinion, the reason we don't have the same problem as the USA is not some fancy digital certificate stuff, but the simple fact that the CPF number by itself does nothing: everybody also wants to see the RG card. And for income taxes, the electronic form also requires a number found in the previous year's income tax receipt. The income tax return will be deposited into a bank account of your choice, but AFAIK it only accepts a bank account where the account owner has the same CPF, and to open a bank account you need the RG (plus other documents).
What I want is control. I want to know who is accessing my credit history and for what purpose. And I want control of what accounts and business are able to access it.
The government can accomplish this by providing your identify in a way that provides this control and transparently, and requiring that businesses/third-parties come through this gateway for identification.
Recently my grandmother passed away. We found her social security card (from 1932) and it says very clearly "NOT FOR IDENTIFICATION". It seems some lessons are lost.
I was at the DMV with my daughter getting her learners permit (shows my age), and we had her passport, but they insisted on seeing her SSN card as well. Luckily we had it, but I found it absurd that a passport was not enough! Yes, my state is full dumbasses.
The passport seems to meet the identity proofing criteria, but it’s a little more complex. It sounds like it was in your case used as a proxy for your kids’ birth certificate.
They require a second identity point when you have a document that substitutes for your birth certificate. Your passport + birth certificate would be ok in most states. Passports don’t meet all requirements because there are corner cases with certain passport types.
Is there a reason why ssn numbers can't become national id numbers? It's the easiest path, all you need is to make new cards with biometric information (probably a photo).
The number can remain. Even if you add a validation digit, it can be computed algorithmically so you don't need to change tje database.
To me, a good solution would be a chip-based smart card with a private key on it for physical proof of identity, and an oauth api for web based stuff. The api would also power the back-end of the in person transactions and issue the vendor a token which they would use from that point forward.
In this system, everything would be logged in terms of who/what accessed your data and it could be de-authorized at any point.
The cards themselves could just be each state's ID/Drivers License to avoid the scare of the national id that many are opposed to for one reason or another. Replacing an ID would be as easy as visiting your DMV (shudder) and them invalidating your old private key.
You would rather the government store 300 million identifiers instead of Equifax?
There are crypto solutions to this problem, but they’re not as simple as symmetric encryption and smart cards. An ideal system will also enforce rules for storage and access. Something like your data is always encrypted with your own private key, and you can authorize bits of the data at a time to third parties.
No, the government wouldn't store anything other than the basic identity (which they already do) and issue verification tokens. The accessor would store their proprietary info as well as the access token to person's private info on the govt api.
Full blown crypto solutions to this don't really scale well and present many problems where the accessor would need to keep asking you for info to see if it changed.
My solution solves the main problem of having a universal number that can get your identity stolen. If we can fix that we have solved 90% of the problem and can work on other things like privacy of said data at a later date.
On a related note: have many in the US swicthed to locked mailboxes?
Without locked mailboxes, you can't even use the slow address/snail-mail 2FA that should be used for certain transactions when you don't have
E.g. if I want to take a loan, I'd say who I am and the bank would send the papers to sign to my mail address. Only after I sign the papers will I get the money. Someone pretending to be me would have to stalk my mail box (time consuming and hard because it's locked), or first change identity records to associate my name with his mail address. This greatly increases the difficulty of this kind of fraud.
From just needing a fake ID, to either having to commit a long stalk of my mailbox and commit physical mail theft OR having to do a multiple phase fraud where authority address records are first changed.
Obviously this all hinges on a) id required to open bank account, b) central registry that maps id to mail address, separate from the bank.
It is quite straightforward to upgrade SSN system. Social Security Administration can generate deterministic Private+Public key pairs for all citizens.
Public key is your new SSN. If it gets stolen, simply generate a new public key, and give it out as a new number. All public keys are easily verified since SSA knows the private keys.
It's pretty normal to memorize your 9 digit social security number, in the same way you know your phone number. Because the SSN card is a fundamental piece of identity theft, it's common practice to NOT carry the number in your wallet. You never know when you'll need the number, and very rarely need the actual card. I don't think I've ever used my physical SSN card in the last 5 years, but I need to provide the number itself quite often, especially on financial, employment, and government documents.
SSN is FINE as a simple identifier. The problem is that organizations try to use it like a PIN code or password. It should NEVER be used as proof of identity per transaction requests. Software Engineering 101: Use the right tool for the job. If an org needs a PIN code or password, make one.
My first inclinations are that Apple and Google should be in these committee meetings. 77% of Americans own smartphones [1]. 99.6% of new smartphones run Android or iOS [2]. I would love for my iPhone to generate a private/public key pair, with the private key stored on the Secure Enclave.
To register my public key, I fill out, on my phone, a bit of basic public information: full legal name, place & date of birth, and my current address and submit it. My phone suggests a nearby SSA office and proposes several appointment times, reminding me the day of.
At the appointed time, I take my phone, passport, birth certificate, SSN card, driver's license and recent electric bill with my address on it to the local SSA office. [3] There, the administration manually inspects and verifies my documentation. Their systems then sign the authentication along with the current location, the time, the official's ID number, and a sha256 hash of a photo of me and the official holding up today's paper.
My phone chirps, I use my passcode/Touch ID/Face ID/Dance ID to digitally counter-sign their authentication. This assures me that when the SSA's private keys are rotated because of inevitable compromise or on a routine schedule, my public key was not overwritten by the attackers.
The SSA administration publishes my public key in their online directory. Private companies can download the public key directories and cache them, or pay Stripe-like vendors for just-in-time lookups. When I want to apply for a credit card, my phone chirps and I sign the credit request, just like Apple Pay. When I lose my phone, I run by the SSA office again before I apply for another credit card.
Empowered by this new security layer, Congress passes a law establishing that no one can be held liable for—and credit decisions may not be made against—accounts that have not been digitally signed for any citizen who has a verified public key.
And then I remember healthcare.gov and I wonder if I should even press submit.
[3] I wouldn't necessarily need to have all of these kinds of documentation, but the public directory system would be able to indicate which forms of identification I did have at time of authentication, for third parties to weigh the risk of identity theft.
So my legal identity is tied to proprietary hardware? Hardware that I arguably don't even meaningfully own? Running software with, especially in the case of Android, an atrocious security record? A secure enclave won't help if hackers just get the OS to call it to sign something malicious. It also kind of sucks for people who can't afford a smart phone.
> At the appointed time, I take my phone, passport, birth certificate, SSN card, driver's license and recent electric bill with my address on it to the local SSA office.
Say I'm homeless and I literally do not have any of those things. How do I prove my identity? (To be fair, I'm not sure how I'd prove my identity under the current system.)
Regardless of this... I can't have a credit card or any kind of loan without owning a smartphone? What if I can only afford a feature phone? What if I simply don't want to own a phone? What if own a Windows Phone, and the software only runs on Android and iOS? What if I'm a developer who wants to start a new phone OS (new huge barrier to entry)?
I suppose I wouldn't be opposed to the option of having this stored on my phone, but what's wrong with just having a smart card with this information on it? If I lose it, it can still be easily revoked and replaced.
In retrospect, I'm not sure I was clear enough that my proposal was mostly a usability / familiarity hack for the general public. I agree this would only be an option.
Specifically, if I'm not in a financial position to own and maintain a smartphone, OR I'm not inclined to trust Apple or Google with my identity, I could acquire a (heavily subsidized?) smart card from the SSA office.
If I don't trust a national office with my identity (see the National ID debacle), I can choose not to use the system entirely. Banks can continue to offer to extend me credit by verifying my identity manually. Specifically, I wrote:
> no one can be held liable for—and credit decisions may not be made against—accounts that have not been digitally signed for any citizen //who has a verified public key.//
My idea being that if Bank of America sends me to collections or pursues a judgement against me, I can take them to small claims for the statutory limit by easily showing the judge that (1) I had a verified public key at the date of the debt and (2) Bank of America cannot provide my digital signature showing I accepted the debt. I'm in and out in a few hours and clear $5K.
If the proposal above had even 20% rollout/adoption, that's 65 million people who can sleep a bit more soundly at night knowing their identity is–not perfectly secure—but FAR more secure than our current system.
Obviously it is a problem that social security numbers are often accepted as proof of identity, but the article seems to be saying that permanent id numbers are bad even apart from this. I don't understand what the argument is though
The problem isn't that we have numbers. It's that corporations have little incentive to protect them.
Right now it's cheaper (i.e. more profitable) to do as little as possible and when/if they get hacked just pay extra on PR/lobbying for a couple weeks/month until someone else gets the public's attention.
Enact Huge (like $1000 per person exposed) fines, corporate death penalty, jail time for people in charge. And, I can guarantee you, companies will start actually protecting their data.
How does it work in countries where the opposite is true (e.g. Sweden, where the "personnummer" is public info)? Why is there not massive identity fraud there?
For everything where identity is important there is liberal use of an ID card of decent quality, one with several counterfeiting features. Any drivers license also doubles as one.
Online an electronic signature of some kind is used, exactly which varies a bit, but the one called BankID is accepted in most places.
Long rambling post ahead, I'm really, really terrible at writing something mostly coherent on the phone, apologies to everyone, but the above paragraph really is the only important part of this comment :)
For bigger financial transactions, if your counterpart is a company they will often do a credit check, which the credit checking provider is then by law required to inform you about through regular mail.
Sensitive online services from government and other companies mostly use some version of an electronic ID, the most common is generally known as BankID, despite of its name it's simply an embodiment of an electronic ID. BankID got its name because it is provided by Bankgirot, a clearinghouse company with a long history in which most of the major Swedish banks have some ownership. Another implementation is provided by Telia AB, a formerly state owned telecommunications provider.
It's not a bulletproof system by any means, but for the most part it appears to work.
However, I'm not too enthusiastic about the eagerness to adopt "BankID on your mobile phone”. It feels like it's only a matter of when, rather than if, someone will manage to exploit it through som security flaw in some of the popular smart phones. Which will inconvenience a lot of people until banks - most likely - simpy roll back the transactions, as is in the digital realm it's hard to disappear money when literally everyone gets assigned an ID.
Tangentially, the most common way used to create legitimate companies for illegal activities AFAIK, at least used to be to pay of some substance abuser or petty thief to use their identity, and simply have them take the fall when/if things go south. So apparently, creating fake identities would appear to be rather hard.
Because the ubiquity of the personal number, and the liberal use of good quality ID cards. This number connected through tax, loans, land ownership, insurance etc, makes it somewhat hard to make money leave the digital world without trace. It would also be terrible in the hands of a competent totalitarian regime or fundamentalist (of any sort) government. Sometimes I think we subconsciously avoid that by voting for mostly uncharismatic leaders with little appeal except for them promising a little bit more money in your wallet, better social security, healthcare, child care, or school. In all cases better can be read as more available, efficient, and ecological from the left - and higher fees, stricter requirements, and lower availability from the right. But I digress.
There have been some areas of law/contract where identity theft was easier, notably land ownership/property laws. IIRC in the property laws it was essentially stated that a signature on paper with two witnesses signatures was indirectly used as proof of identity. Unsurprisingly, this led to some people getting their homes sold by third parties, and having to face a rather arduous legal procedure to get back to square one.
Yeah, that one was rather monumentally stupid, but it wasn't really caused by the personnummer being public.
Blockchains are great and all, but if you lose your private key you should not be barred from ever opening another bank account or getting insurance.
The SSA should switch to using asymmetric crypto keys and publish a web service that lets companies grab your public key based on a set of information (name, DOB, etc). Then that public key can be used to verify things signed by the private key.
In the case of a lost/compromised private key, the SSA can generate a new keypair, assuming the person can verify their identity.
Isn't that the same as if you lost your SSI number? In all seriousness, I remember my parents lost my sisters SSI number well after she was born (1970's). The amount of BS the had to go through to get that back and prove they had one, that she was who she was, etc. It nagged them for years.
Wouldn't the fix be to easily protect and recall your private key? I mean, not to get all science fiction but if you use a private key to replace an SSI, why wouldn't we move to a simple "chip" that we use with pets in case we lose it? Big brother, but I have to imagine it will certainly solve the key issue.
If your private key is compromised (discovered by someone other than yourself) then it needs to be regenerated, whether it can be easily remembered or not. Getting a new key should be a huge pain in the ass, and the tests to prove that you are who you say you are should be strict.
Don't lose your key.
I wouldn't be opposed to a chip, but I doubt Americans are going to let that happen because they'll think big government is tracking them (which they already are, and a chip doesn't change that or expand their capabilities, but we're not talking about the most rational bunch here).
You already have 50+ walled gardens, also known as the “Bureau of Vital Statistics”.
Any identity document you have in the US is either linked to a birth certificate in one of those registries, or with an immigration record maintained by the Federal government.
Birth certificates are pieces of paper that literally anything identifying as a hospital can create 'offically'. It would be trivial to create a forged certificate, there are a ton of dark net sites offering them for sale. If the US $1 bill were this easy to create (it's not), it would be worth pretty much nothing.
> Birth certificates are pieces of paper that literally anything identifying as a hospital can create 'officially'.
I don't know how it works in European countries, but here in Brazil, birth certificates are made by notaries, not hospitals. You might be able to get forged hospital documents to take to the notary, but getting a "backdated" birth certificate for an adult is harder (getting a second copy of your birth certificate is easy, however; just go to the same notary, who has every birth certificate it emitted registered on its books).
In some places, it is trivial to request somebody’s birth certificate. It’s one of those weird US things where localities control stuff that they lack the ability to do well.
Regardless of issues, it’s still the penultimate representation of you.
Yup, and that’s the anchor of trust. The walled garden doesn’t make that better or worse... we’re not going to having key signing parties at birth.
That’s why police and public trust background checks look to confirm bona fides with real people over an extended period. You still don’t know that the birth certificate is real in many cases, but you can trace it back to grade school if need be, or if the birth record is from a suspect issuer.
> That has always worked out great in the past, right?
Yes, absolutely. Sometimes centralization is a better solution. You pointed to one example where a shitty company failed. I'm not suggesting replacing the SSA with a scummy private company. Not sure where you're getting that idea.
I'm talking about the SSA changing their processes to include a more secure method of verifying identity without leaking information.
Same risks, same organizations, better technology.
Since when is the government actually held accountable by the public, or has ever felt accountable to the public? If anything, it's only ever "just enough accountable" so much as nothing leaks out indicating otherwise. And even when it does, it's "oh, look over there, snowden/russia/DPRK/whatever!"
Isn't it obvious that this scandal was either provoked or amplified in order to make Americans get themselves mandatory government IDs with chips and biometrics?
...not that that would be a bad thing. Just getting in line with EU and the rest of the world, finally. Mass monitoring would at least become a few order of magnitudes cheaper hopefully spending those funds on more socially useful things. Offer a chip-less option for more privacy paranoid people, so that at least they can't be tracked remotely when they don't carry their phones (yeah, some countries have this option system). And it's all nice and dandy.
As an European, I find it mind boggling when I see people without adequately secured and mandatory IDs in the US...
I think one more thing that needs to be understood is how can one dynamically establish identity. I have never built a cryptographic system, but I thought maybe the following could be better:
Lets say Alice is a person wanting to establish Bob's identity.
1. Bob must be the only person who retains control over his identity.
2. Bob can verify he is who he says by a distributed system and Alice gets only a Yes/No answer.
3. All verification can be done using a distributed fashion, something like bitcoin/blockchain.
The most important thing here would be an implementation of the distributed nodes and how bob's information is authenticated. But I think all these parts already exist. Political and Business will is needed.
Is there a reason why we couldn't use state IDs for this purpose? We would just have to converge on a standard design, data structure, and set of APIs for access. It would also allow us to issue new ones easily in the event of a problem.
Great that they're finally attempting to do something.
But I get a little annoyed that congress always seems to act fast when its something that might actually affect them. Otherwise its back to partisan do-nothing.
>Today, the Senate Commerce Committee questioned former Yahoo CEO Marissa Mayer, Verizon chief privacy officer Karen Zacharia and both the current and former CEOs of Equifax on how to protect consumers against major data breaches.
That has got to be some kind of joke.
Why would they ask the former leaders of two companies (Yahoo and Equifax) who have experienced perhaps the largest data breaches of all time... "how to protect consumers against major data breaches?"
That is ridiculous.
They should have asked the current head of security from each company instead.
In Sweden we have a national id number given at birth which can be Luhn checked just like a credit card, and we use a digital id bound to a device with an pin number. We use them both in conjunction for online banking, filing taxes and all kinds of things and we have a dramatically lower rate of identity theft than the US.
The national id has been here for a long, long time and the digital id has been here for more than 10 years.
Many Americans are just really afraid of anything being controlled by the government. It's why they keep doing stuff that us Europeans don't understand, like not having strict gun control, not having affordable health care, not having acceptable social security, etcetera. Americans tend to hate government more than they love themselves and others.
Having lived in the US it really bothers me, since there are so many great, caring people there that I don't understand why they keep doing what they do.
The timing on this is interesting given our current political climate and the power the "frightful five" quietly wield and the amount of data they compile about us. I'm all for a better ID system, but I'm extremely concerned that a public/private partnership would lead to someone like facebook, google, microsoft, apple or amazon issuing said ID or being able to get anywhere near it.
I've suggested this before here, but the card companies need to give other companies like Equifax reference numbers to store that uniquely identify the card to the credit card company (or others) but don't give the credit card number and don't get anybody closer to charging anything on the card.
I think more power needs to be given to the person whose identity is stolen. Similar to how the chip and pin system was rolled out: If a fraud is committed, the entity with the least secure method of transaction pays. That pushed retailers to upgrade their systems.
It would be easy to introduce a pin protected chip card and use 2FA all the time for everything. But in the US even credit cards do not have chip and if they do it does not have a pin. The rest of the world using these security measures for almost a decade.
The Brazil idea sounds really cool to me. You can revoke identies if need be and they are more protected since they rely upon a public/private key system. Therefore, you can verify your identity without giving another party your secret info.
> “The parade of high-profile data breaches seems to have no end,” said ranking committee member Bill Nelson. “We can either take action with common sense rules or we can start planning for our next hearing on the issue.”
How about fingerprinting and other biometrics as a replacement? This would be a solid solution, easy to implement and could be integrated with already existing storage systems?
Furthermore, they may not be unique.[1] We are also very far off from being able to trust the technologies that read biometrics, especially for the incompetents that the government usually contracts. I can't find the source, but there was a post/comment on HN linking to a bio engineering lab where they found that any fingerprint was being accepted. Your cell phone is likely light years ahead of anything a government contractor would put in place.
So regardless of the possibility that somebody gets simply part of your number, it can be anything but difficult to make sense of the rest. Analysts in 2009 composed a calculation that could foresee a Social Security number effectively 44 percent of the time in the United States.
Banks should have to know who they are loaning money to and if they make a mistake, that needs to be solely their problem. Then banks will figure out ways to confirm your identity better and people won't get into the hell that is trying to get the "bank slander" removed from their credit report.